Back to skill

Security audit

HedgehogMemory

Security checks across malware telemetry and agentic risk

Overview

This memory skill is coherent, but it needs Review because it is designed to retain recoverable session history indefinitely and can send memory content to external LLM providers when configured.

Install only if you intentionally want durable cross-session agent memory. Use a dedicated HEDGEHOG_MEMORY_PATH, do not commit secrets or raw sensitive transcripts, prefer the built-in local keyword summarizer for confidential work, and treat origin.json as sensitive data that may need manual review, backup, redaction, or deletion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes capabilities to read/write local persistent storage and optionally use a networked OpenAI backend, but the manifest does not declare corresponding permissions. This creates a transparency and governance gap: users and platforms may approve the skill without understanding that it can persist transcripts locally and transmit content externally when configured.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow instructs agents to commit the complete session transcript to persistent storage without a prominent warning about retention, privacy, or data minimization. Users may unknowingly store secrets, personal data, or regulated information indefinitely, especially since the skill advertises that memory is never deleted.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The OpenAI summarizer example uses an external provider API but does not clearly warn that session-derived content may be transmitted off-device for summarization. This omission can lead operators to send sensitive memory contents to a third party without informed consent or policy review.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
OpenAISummarizer.summarize sends the full input text and optional context hint to a remote OpenAI-compatible API. In a memory system, that text may contain sensitive conversation history, credentials, personal data, or internal task context, so transmitting it externally without explicit consent, redaction, or clear disclosure creates a real confidentiality risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
OpenAISummarizer.verify_match transmits both the user query and stored node summary to an external model for semantic matching. Those fields can reveal user intents and retained memory contents, so this creates an outbound data exposure path even when the caller may expect matching to be purely local.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
LiteLLMSummarizer.summarize forwards raw text to an arbitrary LiteLLM-configured backend, which may route data to many third-party providers with different retention, logging, and geographic handling policies. Because the destination is generic and potentially less controlled than a single known provider, the chance of unintended disclosure or policy mismatch is higher.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
LiteLLMSummarizer.verify_match sends query and summary data to whichever external provider LiteLLM is configured to use. Since memory summaries can encapsulate persistent historical context, this creates a semantic leakage channel to arbitrary external services without any built-in warning, trust boundary enforcement, or data classification checks.

Ssd 3

Medium
Confidence
96% confidence
Finding
The design guarantees that prior content is retained and recoverable verbatim, and that compact memory summaries are always loaded into context. In an agent setting, this increases the chance that sensitive prior inputs, credentials, or adversarial prompt content are resurfaced into future prompts where they can influence behavior or be disclosed.

Ssd 3

High
Confidence
98% confidence
Finding
The commit example explicitly tells agents to save the full session log, creating a straightforward path to store sensitive user inputs, system prompts, tokens, or confidential outputs in plain form. Once retained, those transcripts can later be recalled, leaked, or used to contaminate future sessions.

Ssd 3

High
Confidence
99% confidence
Finding
The documented workflow normalizes always loading memory into prompts at session start and persisting full session logs at session end. This compounds two risks: cross-session prompt injection from previously stored content and long-term accumulation of sensitive data that can be replayed into unrelated future tasks.

Ssd 3

Medium
Confidence
96% confidence
Finding
The OpenAI-backed implementation includes the original text verbatim in the prompt for summarization and uses plain-language query/summary content for matching. In a product described as persistent memory, raw memory content is especially likely to contain sensitive long-lived data, making verbatim forwarding a concrete data-leak risk rather than a theoretical concern.

Ssd 3

Medium
Confidence
99% confidence
Finding
The LiteLLM path transmits raw user/task text to arbitrary configured providers, expanding the trust boundary beyond the application and making accidental exfiltration easier. Given this skill's purpose as 'infinite persistent memory,' the affected data is likely richer and more sensitive than ordinary prompts, which makes uncontrolled semantic leakage more dangerous in context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.