lean4-memories

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Lean 4 proof-memory skill whose main risk is intentional persistence of project proof context and preferences.

Install only if you want persistent Lean 4 proof memory and you trust the configured MCP memory server. Treat stored paths, theorem names, proof details, and preferences as potentially sensitive; review or clear memories periodically and avoid storing secrets or confidential project identifiers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The module documentation claims this helper provides MCP memory operations and is intended for programmatic use, but every operation is only simulated with console output. In an agent skill context, that mismatch can cause the agent or operator to believe persistence, retrieval, and failure-avoidance memory are active when they are not, leading to unsafe reliance on nonexistent state and potentially leaking sensitive proof/project details to stdout instead of a protected backend.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs persistent storage of project-specific data, failed attempts, theorem relationships, and user preferences across sessions, but it does not provide any clear privacy notice, retention limits, review workflow, or guidance on avoiding sensitive data. In practice, this can cause unbounded accumulation of potentially sensitive repository paths, work history, and preference data in an external MCP memory service, increasing privacy and data-governance risk if the memory store is shared, synced, or later exposed.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The examples explicitly encourage storing absolute project paths and user preferences in persistent memory, which can capture sensitive local filesystem information and behavioral/profile data without any minimization, consent, retention, or privacy guidance. In a cross-session memory skill, this increases the chance of unnecessary collection and later exposure of personal or environment-specific data.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The pruning example shows automatic deletion of memories based on confidence and age, with no review, confirmation, backup, or audit trail guidance. For a persistent memory system, this can silently destroy user-important context or provenance data, creating integrity and availability risks and making mistakes hard to recover from.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal