Security audit

Recall Local

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent local memory search tool, but it exposes sensitive agent memory through an unauthenticated HTTP server that listens on all network interfaces and can be installed as a persistent login service.

Review before installing. Use only if you are comfortable with local agent memory being searchable over HTTP. Prefer changing the listener to 127.0.0.1, adding access controls, and avoiding the LaunchAgent unless you intentionally want the server to run at login.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Description-Behavior Mismatch

Medium

Confidence: 99% confidence
Finding: The server binds to 0.0.0.0, making an interface described as 'local memory search' reachable from other hosts on the network, not just the local machine. Because it serves MEMORY.md, WORKING.md, and memory logs with no authentication, any reachable client could query and exfiltrate sensitive agent history, secrets, or operational context.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The code comments and UI claim the service is at localhost and 'local & private,' but the actual listener is 0.0.0.0. This mismatch is dangerous because operators may trust the interface as private and unknowingly expose sensitive memory data to the LAN or any forwarded interface.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The invocation guidance is extremely broad, encouraging use for general memory retrieval and even setup/restart actions. Overbroad routing increases the chance an agent invokes a skill that makes system changes or exposes sensitive historical data in routine workflows without deliberate user consent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The setup section instructs the user to install a LaunchAgent and copy binaries into a tools directory, which are persistent system modifications, but the description does not prominently warn about this. That omission can lead users or agents to apply the setup casually, creating long-lived background behavior without informed consent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This skill indexes and serves highly sensitive local memory files over HTTP, yet presents them as private and gives no warning that the service may be reachable by network clients. In this skill context, the data is especially sensitive because 'memory' likely contains prior session notes, decisions, bugs, credentials, and internal operational details useful for lateral movement or prompt/context theft.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.