Llm Memory Publish

Security checks across malware telemetry and agentic risk

Overview

This skill openly describes memory features, but it automatically downloads and checks extra private code in a way users should review before installing.

Install only if you are comfortable with the skill contacting cnb.cool during install/startup and placing unpinned private repository contents under the skill directory. Prefer a version that vendors or pins the private package, verifies signatures or checksums, validates install paths, and makes remote installation and startup checks explicit opt-in steps.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain

Findings (25)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: result["current_commit"] = current.stdout.strip()[:8] # 获取远程最新 commit（不拉取） subprocess.run( ["git", "fetch", "--dry-run"], cwd=str(privileged_dir), capture_output=True,
Confidence: 89% confidence
Finding: subprocess.run( ["git", "fetch", "--dry-run"], cwd=str(privileged_dir), capture_output=True, text=True, timeout=30 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: shutil.rmtree(target_dir) # 克隆仓库 result = subprocess.run( ["git", "clone", "--depth", "1", url, str(target_dir)], capture_output=True, text=True,
Confidence: 95% confidence
Finding: result = subprocess.run( ["git", "clone", "--depth", "1", url, str(target_dir)], capture_output=True, text=True, timeout=120 )

Tainted flow: 'privileged_dir' from os.environ.get (line 133, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: result["current_commit"] = current.stdout.strip()[:8] # 获取远程最新 commit（不拉取） subprocess.run( ["git", "fetch", "--dry-run"], cwd=str(privileged_dir), capture_output=True,
Confidence: 92% confidence
Finding: subprocess.run( ["git", "fetch", "--dry-run"], cwd=str(privileged_dir), capture_output=True, text=True, timeout=30 )

Tainted flow: 'log_file' from os.environ.get (line 115, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: """写入启动日志""" log_file = skill_dir / ".privileged_status.log" with open(log_file, "w") as f: f.write(f"timestamp: {datetime.now().isoformat()}\n") f.write(f"exists: {status['exists']}\n") f.write(f"has_git: {status['has_git']}\n")
Confidence: 88% confidence
Finding: with open(log_file, "w") as f:

Tainted flow: 'log_file' from os.environ.get (line 135, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: """写入安装日志""" log_file = skill_dir / ".privileged_install.log" with open(log_file, "w") as f: f.write(f"timestamp: {datetime.now().isoformat()}\n") f.write(f"architecture: {arch}\n") f.write(f"success: {success}\n")
Confidence: 89% confidence
Finding: with open(log_file, "w") as f:

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The skill advertises an interface layer with automation hooks, but the file also discloses automatic install/startup network activity, cloning of a private package, and additional local storage behavior that materially changes the trust model. Pulling and executing functionality from an external private repository during lifecycle hooks creates a supply-chain risk because users cannot fully audit the code that will be installed and updated on their systems.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The document makes a strong safety claim that the public package has no network access or subprocess behavior, yet the described installation flow explicitly performs a remote `git clone`, which necessarily involves network access and typically subprocess execution. This mismatch is dangerous because it conceals code acquisition behavior from users and reviewers, reducing informed consent and increasing the chance that unreviewed remote code is introduced into the environment.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill is presented as an interface layer with automation hooks, but the architecture explicitly states that installation will silently pull a private enhancement package from a remote repository. Hidden remote code retrieval during install is a serious supply-chain risk because users may believe they are installing only the reviewed public package while actually receiving additional unreviewed code.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The documented behavior adds a hidden mechanism for acquiring code from a private remote source, which is not necessary for a memory integration skill's core stated purpose. Because the fetched package can include code execution, subprocesses, and network access, this creates a broad and hard-to-audit trust expansion that could be abused for supply-chain compromise or unauthorized capability escalation.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The document makes an explicit safety claim that the public package has 'no network access' while the same skill design introduces a postinstall hook that clones a private package from an external CNB repository. This kind of contradictory disclosure is dangerous because it can mislead reviewers and users about runtime behavior, reducing scrutiny of network activity and hidden code delivery during installation.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: Claiming that users do not need to know about the private package's existence while automatically retrieving and deploying it reduces transparency around software provenance and installed functionality. Hidden dependency installation makes it harder for users to assess trust, audit changes, or detect unexpected code introduction.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill is presented as an interface layer with automation hooks, but the documented behavior materially expands its scope to downloading and deploying a private enhancement package from an external repository. This mismatch is security-relevant because users may install the skill under false assumptions about what code will be introduced and executed in their environment.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The README documents an install-time hook that automatically executes, detects architecture, clones a private package from a remote CNB repository, and deploys it into the skill directory. That behavior materially expands the skill’s effective capabilities beyond a simple memory-integration interface and creates a supply-chain execution path in which unreviewed remote code or content can be introduced during installation.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: A startup hook that performs network-based update checks on every gateway launch introduces recurring outbound communication and a persistent supply-chain touchpoint unrelated to the core memory-integration purpose described here. Even if it only checks for updates, it creates unnecessary trust in a remote repository and increases exposure to tracking, tampering, or future behavior expansion.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The skill metadata says installation will automatically pull a private enhancement package from a CNB repository, while this startup hook instead performs status checks and a networked fetch-dry-run during service startup. That mismatch is dangerous because operators may misunderstand when network activity occurs and what automation is actually happening, weakening informed consent and security review.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The security documentation claims the hook only checks local files and Git state and does not auto-update, but the code performs `git fetch --dry-run`, which can contact remote servers. Misrepresenting network behavior in security documentation is risky because it can bypass scrutiny, violate user expectations, and permit covert outbound communications from an auto-executed startup hook.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The advertised skill is an interface layer with hooks, but the post-install logic materially changes behavior by fetching and installing an additional private package from a remote repository. This hidden expansion of trust boundary is dangerous because users reviewing the skill may not expect remote code retrieval or understand that extra components are being introduced outside the packaged artifact.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The security notes state the hook does not modify system configuration, but the implementation deletes and replaces directories under a path influenced by an environment variable. This mismatch is risky because it downplays destructive filesystem behavior and may mislead reviewers or users into granting trust they would not otherwise give, especially since `shutil.rmtree` can recursively remove existing content.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The manifest declares automatic lifecycle hooks (postinstall and onStartup) that will fetch and install a private package from a remote CNB repository, but it does not define clear user consent, activation boundaries, integrity verification, or trust controls. In this context, automatic network retrieval into a privileged path materially increases supply-chain risk because code or artifacts can change server-side after publication and be executed or loaded during normal skill installation/startup.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The manifest explicitly declares automatic lifecycle hooks and network-enabled post-install behavior that pulls a private package from a remote CNB repository, but it does not provide clear trigger constraints, integrity verification, or user-consent boundaries. In this context, auto-fetching privileged code during install/startup materially increases supply-chain risk because the downloaded package could change independently of the reviewed skill and may execute with the skill's declared file and subprocess privileges.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The architecture emphasizes seamless behavior and that the user need not know about the private package, while also describing automatic cloning from a remote repository during installation. Lack of clear user-facing warning about network fetch and code retrieval undermines transparency and informed consent, making risky behavior easier to smuggle into a seemingly ordinary install path.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation describes automatic cloning and deployment of a private package without a clear warning that installation will perform network access and modify files on disk. In the context of an install hook, this is dangerous because users may unknowingly permit supply-chain changes and filesystem modifications that occur outside the visible public package contents.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documented post-install behavior performs network access and writes files automatically with no user confirmation. This is dangerous because installation becomes an implicit code/content acquisition step, enabling silent modification of the local skill environment and making supply-chain compromise or unexpected privileged content deployment much harder for users to detect.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The manifest defines automatic lifecycle hooks (`postinstall` and `onStartup`) with broad descriptions and no clear activation constraints, while also declaring network access and subprocess use to fetch a private package. This is dangerous because installation or startup can silently trigger code execution and external downloads, expanding trust from the reviewed package to unreviewed remote content and enabling supply-chain abuse or unauthorized persistence.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The manifest declares automatic lifecycle hooks that run post-install and on startup, and the same manifest also states those hooks perform network access and subprocess execution to clone a private package. That combination creates a real supply-chain risk because code is fetched and influenced automatically without clear user opt-in, integrity pinning, scope limits, or activation constraints, making silent execution of unreviewed code more likely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal