Back to skill

Security audit

Fleet Memory Manager

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent memory tool, but it asks agents to build and reuse persistent personal profiles with too little user control in shared and automated contexts.

Review carefully before installing. Use it only in a trusted private workspace, do not store secrets in markdown memory files, remove USER.md loading from group/shared sessions unless explicitly opted in, review any nightly consolidation before it writes long-term memories, and disable email/calendar/weather heartbeat checks unless you intentionally want those integrations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (12)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly encourages storing user preferences, frustrations, and work habits in persistent memory, but it does not pair that guidance with a privacy notice, consent model, or data-minimization warning. In a memory-management skill, this omission is material because the feature is specifically designed to accumulate cross-session personal context, increasing the chance of over-collection and unintended disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to configure a nightly consolidation cron that updates long-term memory automatically, but it does not clearly warn that this automation will persist and transform prior session content without manual review. That can lead to accidental retention of sensitive or irrelevant information and makes privacy mistakes self-reinforcing over time.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly tells the user to populate USER.md with personal preferences, frustrations, and work patterns, and later describes long-term memory as potentially containing health, financial, and other private context, but it does not present a clear privacy warning, minimization guidance, retention policy, or access-control advice. This encourages persistent storage of sensitive personal data in plain workspace files that may be read by the agent, included in context, synced, or exposed in shared environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The template explicitly instructs the agent to load and use a user profile every session and in group/channel sessions, while asserting it does not contain sensitive personal data. That encourages persistent profiling without consent, minimization, or access controls, increasing the chance of privacy leakage, overcollection, and inappropriate use of personal context in shared environments.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The profile fields solicit identifying and contextual personal data such as name, location/timezone, role, and background without any warning about necessity, sensitivity, or collection limits. Even if each field seems harmless alone, together they create a durable profile that can enable deanonymization, inference of habits, and broader privacy exposure.

Ssd 3

Medium
Confidence
96% confidence
Finding
The setup instructions direct users to populate USER.md with personal details including name, timezone, work style, and frustrations, which creates a persistent natural-language store of user-specific information. Because these files are meant to be repeatedly loaded into future sessions, they can become a durable source of privacy leakage, prompt overexposure, or inadvertent propagation into logs and downstream tools.

Ssd 3

Medium
Confidence
97% confidence
Finding
The 'Human Patterns' section encourages ongoing capture of tacit knowledge such as frustrations, activity patterns, and shortcuts, which semantically promotes broad profiling of a specific user. In a skill whose purpose is durable memory across sessions, this materially increases the risk of retaining sensitive personal context longer than needed and exposing it in unrelated interactions.

Ssd 3

Medium
Confidence
98% confidence
Finding
The README says the agent 'builds it up over time and never forgets it,' explicitly endorsing indefinite retention of user behavior and preferences. That is dangerous because persistent, accumulating personal context can be surfaced in later prompts, shared environments, backups, or model inputs well beyond the user's expectations.

Ssd 3

Medium
Confidence
94% confidence
Finding
The real-world example normalizes storing named individuals' preferences and communication style in long-term memory, reinforcing retention of identifiable personal information as an intended use case. This makes the privacy risk more concrete because the context is not abstract metadata but person-linked profiling data preserved across sessions and potentially across agents.

Ssd 3

Medium
Confidence
96% confidence
Finding
This template is designed to accumulate tacit knowledge about the user over time and explicitly says to load it across sessions, including group/channel sessions. Persistent cross-session memory of broad personal attributes materially increases privacy risk, makes accidental disclosure more likely in shared contexts, and can create sensitive behavioral profiles without clear governance.

Hidden Instructions

High
Category
Prompt Injection
Content
# HEARTBEAT.md — Heartbeat Configuration

<!--
=============================================================================
HEARTBEAT CONFIGURATION
=============================================================================
Confidence
92% confidence
Finding
<!-- ============================================================================= HEARTBEAT CONFIGURATION ============================================================================= Heartbeats are

Hidden Instructions

High
Category
Prompt Injection
Content
## Active Project Monitoring

<!--
Check these projects at most every 4 hours. Track last check in heartbeat-state.json.

For each project:
Confidence
94% confidence
Finding
<!-- Check these projects at most every 4 hours. Track last check in heartbeat-state.json. For each project: - If status is BLOCKED → surface the blocker to the human - If last updated > 48 hours

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.