Back to skill

Security audit

Memories Api

Security checks across malware telemetry and agentic risk

Overview

This video API skill is broadly legitimate, but it bundles a hardcoded API key and can send async transcript results to a default webhook the user did not choose.

Review carefully before installing. Use only your own MEMORIES_API_KEY, avoid the helper script unless the embedded key and default webhook are removed, provide a webhook you control for async jobs, and require explicit approval before uploading local media, downloading remote files, deleting assets, or using human re-identification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documentation exposes a human re-identification capability that is materially more sensitive than the skill’s stated scope of transcription, embeddings, analysis, and editing. This mismatch can cause downstream agents or users to invoke biometric tracking features without informed consent, policy review, or appropriate safeguards, increasing privacy and compliance risk.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The reference documents powerful capabilities well beyond the declared skill purpose, including upload/storage management, live stream processing, and person-tracking. In an agent context, overbroad documented capabilities can enable unintended tool use, privilege expansion, and access to sensitive or destructive operations that users may not reasonably expect from a video-intelligence skill.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Human re-identification is a sensitive surveillance capability involving biometric/person-tracking use that is not justified by the stated skill purpose. In an agent-integrated skill, exposing this endpoint increases the risk of covert tracking, privacy violations, and regulatory noncompliance, especially if an agent can invoke it on arbitrary videos and reference images.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The code silently assigns a built-in external webhook URL when the user does not provide one, causing transcript job results to be sent to a third-party endpoint outside the user's control. In a video-intelligence skill, transcripts and derived content may contain sensitive or proprietary information, so unsolicited callback delivery materially increases data exfiltration risk.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The helper claims to obtain credentials from the environment or documentation, but actually embeds a live-looking fallback API key directly in source code. Hardcoded secrets are dangerous because they can be extracted by anyone with code access, reused without authorization, and are difficult to rotate once distributed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documents `client.delete_asset(asset_id)` without any warning that the operation is destructive and may permanently remove user data. In agentic contexts, undocumented destructive operations increase the risk of accidental deletion or misuse when the model invokes capabilities on behalf of a user.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill includes upload, download, and webhook/callback functionality that can transfer local files or external media to third parties and receive data back, but it does not prominently warn about privacy, data handling, or trust boundaries. In a security-sensitive agent environment, this can lead to users unintentionally sending sensitive content to external services or storing untrusted remote content locally.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The API reference repeatedly instructs users to send video URLs, image URLs, stream URLs, and callback endpoints to remote services, but provides no warning about data transmission, retention, third-party processing, or webhook exposure. In a skill context, this omission can lead users to submit sensitive media or internal URLs without understanding the privacy, confidentiality, and SSRF-like risks of remote fetching and callback handling.

Missing User Warnings

High
Confidence
96% confidence
Finding
Documenting human re-identification without any warning about biometric sensitivity normalizes a surveillance-capable feature and may encourage use on identifiable individuals without consent. Because re-identification processes face/reference images to track people across videos, misuse can cause severe privacy harm and trigger legal or regulatory violations in many jurisdictions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation exposes a destructive delete endpoint without warning that deletion may be irreversible or require confirmation. In an agent workflow, this omission makes accidental or prompt-induced destructive actions more likely, potentially causing permanent loss of stored assets.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The ReID endpoint is documented without any privacy warning despite processing highly sensitive biometric/person-tracking data. This is dangerous because users and downstream agents may invoke it without understanding the surveillance implications, consent requirements, retention risks, or legal constraints around biometric processing.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script contains a hardcoded default API key, which exposes sensitive credentials to any reader or downstream consumer of the skill. This enables unauthorized API use, quota abuse, impersonation of legitimate traffic, and possible access to associated account data or billing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The async transcript flow transmits a callback URL to the remote service, and if omitted, substitutes a built-in external webhook. This can redirect transcript results to an unintended destination and may leak processing metadata or content without clear user awareness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal