Security audit

Threadline — Persistent Memory and Context Layer for AI Agents

Security checks across malware telemetry and agentic risk

Overview

Threadline is a coherent memory-service skill, but it needs review because it encourages sending and storing broad user conversations and sensitive inferred context in a third-party service.

Install only if you intentionally want a third-party persistent memory layer. Before using it with real users, disclose that prompts, responses, and inferred context may be sent to Threadline, get opt-in consent, avoid secrets and regulated data, limit enabled scopes especially emotional or relationship data, and verify retention, export, deletion, and prompt-safety controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly promotes persistent storage of user context 'forever' and describes storing preferences, projects, and other personal context, but it does not include a prominent user-facing privacy warning, consent requirement, or guidance on handling sensitive data. In the context of an agent skill, this can cause developers to unknowingly route personal and conversational data to a third-party memory service without adequate disclosure or data-minimization controls.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The examples send full user messages and full agent responses to the remote Threadline API via update(), which can include secrets, credentials, personal data, or regulated content. Because the examples are copy-pasteable and lack any caution about external sharing, developers may unintentionally exfiltrate sensitive conversations to a third party.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The documentation encourages storage of highly sensitive inferred categories such as emotional state and key relationships, which can reveal mental health signals, interpersonal networks, and other sensitive personal attributes. Presenting these categories as normal memory scopes without strong cautions, consent requirements, or restrictions materially increases privacy risk and the chance of over-collection.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal