Back to skill

Security audit

Klyc Pmm Publish

Security checks across malware telemetry and agentic risk

Overview

This is a cloud-backed memory and recovery skill, but it needs Review because it can upload identity/control files, persist credentials, and rewrite agent behavior files without strong consent or rollback controls.

Install only if you trust the Yaochi service with memory, identity, and agent-control data. Before use, review the scripts, avoid placing recovery codes or API keys in chat or shell history, back up workspace files before running recover/setup, and do not use this for sensitive conversations unless you are comfortable with cloud storage and local plaintext cache retention.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (29)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill declares shell-capable behavior and runnable scripts (`pmm_watch.sh`, `pmm_recover.sh`, `pmm_boot.sh`) but does not surface any explicit permission model or user-consent boundary in the manifest. In a skill that can register remote identities, write local files, and move memory/credential material, missing permission disclosure increases the chance of silent execution of sensitive operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose frames the skill as memory management, but the behavior described in the file goes much further: remote account registration, token storage, recovery of identity and credentials, modification of `SOUL.md`/`HEARTBEAT.md`, and synchronization of behavior rules. This mismatch is dangerous because users may install a seemingly benign memory tool without understanding that it can alter agent behavior, exfiltrate sensitive files, and restore privileged state from a remote service.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script sends the full contents of identity-related files (e.g. IDENTITY.md, SOUL.md, USER.md) directly to a remote API as JSON content, which contradicts the manifest claim of client-side pre-encryption. This creates a confidentiality risk because highly sensitive profile and identity data is exposed to the remote service, transit endpoints, and any compromise of the destination system.

Description-Behavior Mismatch

Medium
Confidence
77% confidence
Finding
The skill metadata describes precision memory management and classified storage, but this script performs remote backup of identity/profile files to a disaster-recovery endpoint. That mismatch increases the chance that users will authorize or install the skill under a misleading understanding of what data is actually being handled and transmitted.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script goes well beyond post-conversation memory management by reconstructing identity/control files and provisioning an API credential from remote data. In a skill context, this materially increases trust and control over the local agent workspace, enabling remote state injection, credential placement, and overwrite of sensitive operating files without an explicit trust boundary or confirmation step.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script retrieves an API key from a remote endpoint and writes it directly to a local token file, silently establishing persistent credentials on the host. If the endpoint is compromised, spoofed, or returns an attacker-controlled key, the local agent may later authenticate to a malicious or unintended service, and any local user/process with access to the file may obtain the credential.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script restores multiple high-trust files such as IDENTITY.md, SOUL.md, AGENTS.md, USER.md, and TOOLS.md directly from remote response content. In an agent environment, these files can influence behavior, tooling, or future decisions, so writing untrusted remote content into them creates a remote prompt/configuration injection path and can overwrite legitimate local state.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill presents itself as memory management, but it also performs remote identity recovery, registration, token persistence, and profile management. That scope expansion is security-relevant because it causes account creation and authentication-state changes on a third-party service without clear user consent, increasing attack surface and data governance risk.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The comments claim Yaochi is the only primary memory and local storage is just offline cache, but the implementation writes full memory content into a local JSON store and searches it as a first-class datastore. This mismatch can mislead users and integrators about where sensitive conversation data resides, causing unanticipated local retention and exposure.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill appends behavioral instructions into SOUL.md and HEARTBEAT.md, effectively altering future agent behavior and persistence policy outside the user’s immediate command context. In an agent environment, self-installing durable instructions is dangerous because it creates hidden persistence, expands data collection behavior, and can survive beyond a single session or task.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The behavior_sync function retrieves remote behavior rules unrelated to memory storage, introducing a remote policy channel into the agent. Even if it only displays rules now, this normalizes external behavioral control and could be extended or misused to influence agent operation beyond the stated memory-management purpose.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file states that local index is only an offline cache and Yaochi is the sole primary store, but later logic saves memories locally before confirming any cloud sync. This discrepancy is dangerous because operators may assume data is only remotely stored while sensitive content is actually retained on disk immediately and potentially indefinitely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The recovery section promotes restoring 'identity + all memory' and rewriting local core files, including API token recovery, but does not present a clear warning about the sensitivity of the transmitted and restored data. This can lead users to expose identity material, memory contents, and credentials to a remote service or to local files without appreciating the security consequences.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The text states that Yaochi is the only memory source and local storage is merely a cache, implying mandatory use of the remote API rather than informed user choice. Forcing cloud-backed memory for identity and conversation conclusions expands exposure of sensitive data and removes safer local-only operation as a default.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script uploads sensitive identity files to a remote API without an explicit warning or interactive confirmation at the point of transmission. In the context of an agent skill handling identity and memory artifacts, this is dangerous because users may not realize that local persona/state files are leaving the host and being stored externally.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Accepting the API key as a command-line argument exposes it to shell history, process listings, audit logs, and orchestration telemetry. This can lead to credential leakage and subsequent unauthorized access to the backup service and any stored sensitive identity data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script writes a sensitive API token to disk without warning the user in comments or usage text, which undermines informed consent and increases the chance of accidental credential exposure. The risk is amplified because no file-permission hardening is performed, and users may not realize persistent credentials have been created on the system.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script overwrites multiple workspace files with remote data without any up-front warning, dry-run, diff, backup, or user confirmation. This can destroy local state, implant attacker-controlled content in trusted files, and make recovery difficult if the remote source is malicious or mistaken.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Automatic registration collects hostname, username, and a machine-derived fingerprint and transmits them to a remote API without an explicit user-facing warning or consent gate. In a memory skill context, that is over-collection and can enable host correlation, tracking, or unexpected account linkage.

Missing User Warnings

High
Confidence
98% confidence
Finding
Conversation-derived memory content is sent to a remote service, and if client-side encryption dependencies are unavailable the code explicitly falls back to plaintext transmission. Because the skill is designed to capture user conclusions and potentially sensitive dialogue content, this creates a serious confidentiality risk, especially when the user is not clearly warned that cloud transmission and plaintext fallback can occur.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The description says the agent will 'automatically extract conclusions and classify/store them after the conversation ends,' but it does not define user consent, scope limits, or opt-in conditions. In a memory-management skill, ambiguous automatic activation can cause unintended collection and retention of sensitive conversation data, increasing privacy and data-governance risk.

Ssd 3

High
Confidence
98% confidence
Finding
The skill explicitly instructs the user to paste a recovery code to the AI so it can rebuild identity, memories, and API credentials. Encouraging users to hand sensitive recovery material directly to an automated agent creates a direct path for credential compromise, account takeover, and unauthorized restoration of private data.

Ssd 3

High
Confidence
98% confidence
Finding
The recovery workflow is framed as a one-line action where the AI 'rebuilds everything,' including sensitive state and credentials, which normalizes handing full account-recovery authority to the skill. In this context, the feature is more dangerous because the same package also describes remote identity management, token writing, and core-file reconstruction, so a single pasted secret can rehydrate a complete privileged environment.

Ssd 3

Medium
Confidence
94% confidence
Finding
The injected SOUL.md instructions direct the agent to decide after each conversation whether content should be remembered and pushed to backup, based on natural-language triggers and broad categories. That creates persistent retention of user-provided information without precise minimization or consent boundaries, which is risky in an agent system handling potentially sensitive conversations.

Ssd 3

Medium
Confidence
89% confidence
Finding
The core behavior description instructs the agent to automatically judge whether each dialogue has conclusions worth recording and to submit them to persistent memory. In context, this encourages broad autonomous retention of conversation content, which can capture sensitive user information without sufficiently explicit boundaries or consent.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.