Persistent Mind

Security checks across malware telemetry and agentic risk

Overview

PersistentMind is a disclosed local memory tool, but users should avoid saving secrets because stored memories can later be injected into prompts or exported.

Install only if you want durable local agent memory. Do not store passwords, API keys, tokens, private personal data, confidential business details, or secret locations in this memory store. Review context returned by get_context() before sending it to a model, and treat exported or imported memory JSON as sensitive and untrusted until reviewed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (11)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The README explicitly encourages persistent storage of facts, preferences, corrections, and procedures across sessions and projects, but provides no warning not to store secrets, personal data, or regulated information. In a memory-management skill whose core purpose is retaining and reinjecting context, omission of safe-handling guidance materially increases the chance that users will persist sensitive data unintentionally.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill explicitly demonstrates storing a secret API key as a persisted memory item and later presents memory content as prompt context. In a memory skill, examples strongly shape user behavior, so this normalizes retention of credentials in a system designed to resurface data across sessions, increasing the risk of accidental disclosure to future prompts, logs, exports, or team-shared memory files.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The manifest advertises persistent storage, export/import, deletion, and direct prompt-context injection but does not disclose operational safeguards such as confirmation prompts, overwrite behavior, sensitivity handling, or prompt-safety boundaries. In a memory skill, these capabilities can expose private data, enable accidental destructive actions, or cause untrusted stored content to be injected into future prompts, so the omission is a meaningful security and safety weakness rather than a purely cosmetic documentation issue.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The `forget` capability explicitly supports permanent deletion, but the manifest gives no indication that the operation requires confirmation, supports recovery, or distinguishes archive from irreversible delete clearly enough for safe use. For a persistence tool, that creates a realistic risk of accidental loss of user data or abuse by downstream agents invoking the function without adequate human awareness.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Export and import of agent memory are sensitive operations because they can leak private information to files intended for sharing and can also overwrite, merge, or poison an existing memory store with untrusted content. The manifest presents these functions as simple backup/team-sharing features without warning about confidentiality, provenance, schema validation, or overwrite risks, which materially increases the chance of unsafe use.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The class automatically creates a local storage directory and persists memories to JSON without any built-in user notice, consent flow, or sensitivity guidance. Because this component is explicitly designed to store cross-session context, it can silently retain personal data, secrets, or project-sensitive information on disk longer than users expect.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The export feature writes all selected memories to a shareable JSON file with no warning, review step, or sensitivity screening. Since memories may include user preferences, project context, corrections, or operational details, exporting can easily disclose confidential or personal information to unintended recipients.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The demo encourages storing credential-adjacent information by placing a database connection-string reference from a .env file into persistent memory without any caution. In an agent memory system, examples strongly shape usage, so this can normalize persisting secret locations or even secrets themselves into long-lived searchable storage.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The skill advertises that stored memories are injected directly into prompts via `get_context()`, which means any sensitive information placed in memory can later be surfaced to the model and potentially echoed in outputs, logs, or downstream tools. Because this project is specifically designed to persist and reuse context automatically, the surrounding skill context makes accidental disclosure more likely, not less.

Ssd 3

Medium

Confidence: 84% confidence
Finding: The example injected context includes `Connection string in .env as DATABASE_URL`, which normalizes placing credential-adjacent configuration details into prompt-ready memory. Even though it does not reveal the secret value itself, it encourages storing infrastructure and secret-location metadata that can aid prompt leakage, lateral discovery, or accidental disclosure in model responses.

Ssd 3

High

Confidence: 99% confidence
Finding: This is a true vulnerability because the skill not only stores a secret example but also shows `get_context()` formatting that memory back into prompts, effectively teaching credential reinjection into downstream model interactions. In the context of an agent memory product, persistent recall, prompt prepending, export/import, and team sharing materially amplify exposure by propagating secrets beyond their original storage location.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal