摇摇记忆系统

Security checks across malware telemetry and agentic risk

Overview

This memory skill is not clearly malicious, but it can persist and upload broad personal or project memory with weak consent and scope controls.

Install only if you intentionally want long-term assistant memory. Disable IMA sync unless needed, replace default note mappings with destinations you control, use a limited IMA key, review memory files before syncing, and avoid storing secrets, credentials, private identifiers, health, financial, or confidential business data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The documented trigger phrases for memory retrieval, writing, and syncing are broad, natural-language expressions that can easily occur in ordinary conversation. In an agent skill that performs persistent storage or external synchronization, this creates a real risk of unintended activation, causing sensitive user content to be saved or transmitted without clear, deliberate consent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The README explicitly promotes persistent memory and states that IMA knowledge-base sync is enabled by default, but it does not provide prominent warnings about data retention, third-party transmission, or what types of content may be uploaded externally. In a memory system for AI assistants, this is dangerous because users may disclose sensitive personal, project, or credential-related information believing it remains local when it may be persisted and synced off-platform.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The memory-write triggers are broad enough that ordinary conversational phrases like 'record' or 'this is important' may cause the agent to persist information without clear, informed user consent. In a memory skill, unintended writes are dangerous because they can store sensitive personal or project data into local files that may later be searched, summarized, or synchronized externally.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The retrieval rule goes beyond explicit trigger phrases and allows the agent to search memory whenever it infers a question relates to prior discussion. That ambiguity can cause unnecessary access to stored personal information and increase the chance of disclosing unrelated prior context back to the user or into the model's reasoning flow.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill describes persistent writes to MEMORY.md, daily logs, learnings, and project knowledge files without a clear privacy warning that user information will be stored on disk. Users may disclose sensitive data believing the assistant is ephemeral, while the skill is designed to retain it across sessions.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill enables IMA synchronization by default and describes syncing user preferences, daily records, decisions, and project details to an external knowledge base without an explicit privacy warning or consent gate. This creates a direct exfiltration path for accumulated personal and organizational data beyond the local workspace, substantially raising confidentiality and compliance risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script reads local workspace files such as MEMORY.md and .learnings/*.md and sends their contents to the remote IMA API. While this appears to be the intended sync behavior rather than covert exfiltration, it is still a real security/privacy risk because users are not explicitly warned at execution time that potentially sensitive local knowledge files will be transmitted off-host.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The design explicitly supports collecting user preferences and daily records and synchronizing them to an external knowledge base, which establishes a natural-language data leakage channel. Because the skill is framed as a universal memory system and sync is default-enabled, the context makes the issue more dangerous: the feature is central, persistent, and likely to capture broad classes of sensitive information over time.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The memory-write rules broadly instruct the agent to persist important user information, decisions, lessons, and project details without meaningful sensitivity boundaries. In this skill context, that is risky because the stored corpus becomes searchable, summarizable, and potentially syncable, magnifying the effect of any accidental capture of sensitive content.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal