basal-ganglia-memory

Security checks across malware telemetry and agentic risk

Overview

This is a non-executable, under-development memory skill that discloses future SkillBoss API-key use but does not currently run code or transmit data.

This version is safe to treat as a placeholder. Before installing or enabling a future implemented version, check what data it sends to SkillBoss, how that data is stored or retained, what the API key permits, and whether learned habits can be reviewed, disabled, or reset.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill documentation states that all AI capabilities will use a remote SkillBoss API and an API key, but it does not clearly warn users that prompts, memory content, habits, or other potentially sensitive agent data may be transmitted off-host. In a memory-oriented skill, that omission is more concerning because the feature domain strongly suggests collection and persistence of behavioral or contextual data, creating privacy and data-governance risk if users are not explicitly informed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal