Mem0 1.0.0

Security checks across malware telemetry and agentic risk

Overview

This is a coherent memory skill, but it stores conversational context persistently and uses OpenAI processing, so users should enable it deliberately.

Install only if you want persistent conversational memory. Confirm users know that stored memories and search/add content may be processed by OpenAI and retained locally, avoid storing secrets or sensitive personal data, configure the user ID for your deployment, periodically review listed memories, and be careful with --all deletion because the script does not ask for confirmation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 81% confidence
Finding: The skill documentation instructs use of environment-backed capabilities via OpenAI API access (`OPENAI_API_KEY`) and local storage, but does not declare permissions accordingly. Hidden or undeclared capabilities reduce transparency for reviewers and users, making it easier for a memory skill to access external services or persisted data without clear consent boundaries.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The declared description focuses on conversational memory storage and retrieval, but the body also documents bulk listing, targeted deletion, full-user deletion, use of OpenAI APIs, and persistence in a local history database. This mismatch is dangerous because operators may approve or invoke the skill expecting benign memory assistance while it also enables broader data management and external data transfer behaviors.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill description emphasizes conversational memory, but the implementation also sends data to external OpenAI services for embeddings/LLM processing and persists history in a local database under the user's home directory. This creates a privacy and data-governance risk because user memories, preferences, and context may be stored longer than expected and processed by a third party without explicit disclosure or consent in the manifest.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The script allows bulk deletion of memories for any user by combining `--all` with an arbitrary `--user=` value, with no authorization or ownership checks in this file. In a memory skill whose purpose is storing and retrieving conversational context, exposing unrestricted cross-user deletion expands capability into destructive administration and could enable accidental or unauthorized data loss if the script is accessible to agents or operators.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The activation guidance is broad enough to trigger memory search and storage during normal conversation whenever the system infers preferences or patterns. That increases the chance of collecting and reusing personal data without clear, specific consent, especially in a cross-conversation memory system.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill advertises automatic learning and recall of user preferences and context across all interactions, yet does not present a clear user-facing privacy notice, consent flow, retention policy, or disclosure of external processing. In a memory skill, this context makes the issue more serious because it directly concerns persistent profiling across sessions.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The documented deletion commands include both per-record and delete-all operations but provide no explicit warning that these actions are irreversible. This can lead to accidental destruction of user memory data, which is especially risky in a persistence-oriented skill where stored context may be operationally important.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guidance encourages automatic storage of conversation context, personal facts, patterns, and corrections, but it does not require user notice, consent, retention limits, or review controls. In a memory skill whose purpose is to persist user data across conversations, this creates a real privacy risk because users may have sensitive personal information stored unexpectedly and reused later.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The configuration notes state that OpenAI embeddings and an OpenAI LLM are used for extraction, which implies conversation-derived data may be transmitted to external services, yet the document provides no warning, consent requirement, or data-handling constraints. This is particularly risky in a memory system because stored or searched conversational data can contain personal preferences, facts, and other sensitive context.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: `deleteAll({ userId })` performs irreversible bulk deletion immediately, without an interactive confirmation step, dry-run preview, or secondary safeguard. This makes operator mistakes, bad parameterization, or accidental invocation much more likely to wipe a user's entire memory set, which is especially risky for a persistent memory component intended to preserve user context across conversations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal