Memos Cloud Server

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed MemOS Cloud memory skill, but it automatically sends and stores every conversation turn in an external service and includes direct delete operations without strong confirmation controls.

Install only if you want a third-party MemOS Cloud service to receive and retain your chat content by default. Avoid using it in chats containing secrets, regulated data, or private documents unless your deployment policy allows that, and be careful with delete commands and knowledge-base uploads because the artifact does not show strong confirmation or recovery controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill mandates automatic memory search before every answer and automatic persistence after every turn without requiring user opt-in or a prominent privacy notice. This can cause continuous collection and external transmission of user content, including sensitive personal data, in contexts where the user reasonably expects a normal conversation rather than background retention.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The deletion workflow enables destructive removal of memories but does not require an explicit irreversible-action warning or confirmation step. Users or upstream agents could trigger permanent data loss accidentally, especially when deletion occurs after search-based selection of matching memory IDs.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This client sends arbitrary payload data to an external MemOS Cloud service and automatically appends a source tag, but there is no user-facing consent, disclosure, or data-minimization control in this code path. In the context of a long-term memory skill explicitly intended to run proactively on every user turn, this creates a real privacy and data-exfiltration risk because potentially sensitive conversation content may be transmitted off-platform by default.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The function reads arbitrary local files from a provided path and packages their full contents into a transferable payload, with no consent check, path restriction, or indication that sensitive local data may be exfiltrated. In the context of a memory/knowledge-base cloud skill that proactively uploads data, this increases the risk that prompt-controlled or user-mistaken file paths could cause unintended disclosure of secrets such as SSH keys, config files, tokens, or private documents.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This file sends user messages, feedback, searches, and profile-related data to an external cloud service via multiple client.post calls, but it contains no guardrails for user consent, disclosure, minimization, or sensitivity checks. In the context of a long-term memory skill that is meant to run proactively on every user turn, this creates a real privacy and data-exfiltration risk because potentially sensitive conversation content may be transmitted off-platform automatically.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: delete_memory performs an immediate destructive remote operation with only a memory_ids_str parameter and no confirmation, authorization context, or safety interlock visible in this layer. In a memory-management skill, accidental or prompt-induced invocation could irreversibly remove stored user data, making this a genuine integrity and availability issue.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: delete_kb_documents allows direct deletion of knowledge-base files without any visible confirmation or contextual checks in this function. Because this skill manages persistent external knowledge stores, a mistaken or adversarially triggered call could cause loss of user or organizational documents.

Missing User Warnings

High

Confidence: 90% confidence
Finding: remove_knowledge_base issues a direct delete request for an entire knowledge base with no visible confirmation, dependency check, or recovery mechanism in this file. Given the skill's role in long-term memory and document management, deletion of a whole knowledge base can produce broad, potentially irreversible data loss and is especially dangerous if exposed to automated or ambiguous agent actions.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill instructs the agent to retain and persist every user turn automatically, which materially expands data collection beyond what is necessary for many interactions. Because the data is sent to an external memory service and retained over time, this increases exposure of sensitive, regulated, or incidental personal information without minimization.

Ssd 3

Medium

Confidence: 88% confidence
Finding: The instruction to capture and keep the first user message of each session in working notes creates extra retention of raw conversational content solely to derive a stable conversation identifier. If the first message contains sensitive information, that content is repeatedly reused and may be exposed more broadly than needed for session linkage.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal