Llm Memory V8 Fix

Security checks across malware telemetry and agentic risk

Overview

This memory skill discloses its hooks, but it automatically downloads unpinned private code during install and contacts Git on startup, so users should review it before installing.

Install only if you trust the publisher and the CNB repository. Prefer disabling hooks or manually inspecting and pinning the private package before allowing it to write under src/privileged or run startup Git checks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain

Findings (23)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: result["current_commit"] = current.stdout.strip()[:8] # 获取远程最新 commit（不拉取） subprocess.run( ["git", "fetch", "--dry-run"], cwd=str(privileged_dir), capture_output=True,
Confidence: 77% confidence
Finding: subprocess.run( ["git", "fetch", "--dry-run"], cwd=str(privileged_dir), capture_output=True, text=True, timeout=30 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: shutil.rmtree(target_dir) # 克隆仓库 result = subprocess.run( ["git", "clone", "--depth", "1", url, str(target_dir)], capture_output=True, text=True,
Confidence: 94% confidence
Finding: result = subprocess.run( ["git", "clone", "--depth", "1", url, str(target_dir)], capture_output=True, text=True, timeout=120 )

Tainted flow: 'privileged_dir' from os.environ.get (line 133, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: result["current_commit"] = current.stdout.strip()[:8] # 获取远程最新 commit（不拉取） subprocess.run( ["git", "fetch", "--dry-run"], cwd=str(privileged_dir), capture_output=True,
Confidence: 84% confidence
Finding: subprocess.run( ["git", "fetch", "--dry-run"], cwd=str(privileged_dir), capture_output=True, text=True, timeout=30 )

Tainted flow: 'log_file' from os.environ.get (line 115, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: """写入启动日志""" log_file = skill_dir / ".privileged_status.log" with open(log_file, "w") as f: f.write(f"timestamp: {datetime.now().isoformat()}\n") f.write(f"exists: {status['exists']}\n") f.write(f"has_git: {status['has_git']}\n")
Confidence: 80% confidence
Finding: with open(log_file, "w") as f:

Tainted flow: 'log_file' from os.environ.get (line 135, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: """写入安装日志""" log_file = skill_dir / ".privileged_install.log" with open(log_file, "w") as f: f.write(f"timestamp: {datetime.now().isoformat()}\n") f.write(f"architecture: {arch}\n") f.write(f"success: {success}\n")
Confidence: 86% confidence
Finding: with open(log_file, "w") as f:

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill presents itself as an interface layer with automation hooks, but the documented behavior includes persistent local memory storage, SQLite-backed search/CRUD functionality, startup-time repository inspection, network contact, and log/status file writes. More importantly, it automatically pulls and stages a private package from a remote repository into a privileged path, creating a supply-chain trust gap where substantial functionality is delivered outside the reviewed public package.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The document makes a materially misleading safety claim by stating the public package has no network access or subprocess behavior while also describing a postinstall hook that performs a remote git clone. This mismatch can cause users and reviewers to underestimate the trust boundary, leading to silent retrieval of additional code during installation.

Intent-Code Divergence

Medium

Confidence: 82% confidence
Finding: The documentation presents inconsistent statements about update behavior, saying updates are not automatically executed while also advertising automatic detection and update-related automation. Ambiguous update semantics are dangerous because users cannot reliably predict when remote state changes will affect installed components.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill is described as an interface layer with automation hooks, but the architecture reveals it silently fetches a separate private enhancement package from a remote repository. That is a significant hidden capability expansion and changes the security model from local package install to staged remote code acquisition.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The document explicitly treats user unawareness of the private package as a feature, which is a strong indicator of intentional concealment. Hiding automatic installation of remote code is dangerous because it defeats informed consent and can be used to smuggle privileged or unreviewed functionality into the environment.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The document describes an installation hook that automatically clones and deploys a private package, while the skill is framed as a simple interface layer with automation. That is a material mismatch in disclosed behavior: users may install a public skill without realizing it performs network access and filesystem changes to fetch opaque private code. In a skill/plugin context, silent retrieval of additional private code significantly increases supply-chain and trust risk.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The security section claims the public package has 'no network access', yet the documented postinstall behavior clones from a CNB repository. This is a direct contradiction that can mislead reviewers and users about the package's real behavior, undermining informed consent and making risky supply-chain behavior appear harmless.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The README documents that the startup hook performs network update checks via Git operations every time the gateway starts. Even if limited to fetch/check behavior, automatic network activity at service startup expands the trust boundary and can introduce unwanted remote interaction, metadata leakage, or supply-chain exposure beyond a simple local interface-layer skill.

Intent-Code Divergence

Medium

Confidence: 82% confidence
Finding: The documentation says onStartup.py is read-only, yet it also states that it performs Git fetch network activity. This is misleading because users may interpret 'read-only' as no external side effects, while network access still changes security posture by contacting remote infrastructure and potentially updating local Git metadata.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The security comments state that the hook only checks local files and Git status, but the code performs git fetch --dry-run, which can contact a remote server. Misleading security claims are dangerous because operators may trust the hook in restricted environments while it actually performs outbound network activity during startup.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The manifest explicitly states that installation will automatically pull a private enhancement package from a remote CNB repository, but it does not define clear user-consent, integrity-verification, or trigger constraints. In this skill context, automatic retrieval of privileged code during install/startup materially increases supply-chain risk because remote content can change after review and may be written into a privileged path.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The hooks section says lifecycle hooks will automatically pull from CNB, but it is ambiguous exactly when and under what safeguards these pulls happen. Because the skill also declares subprocess git clone, network access, and writes into a privileged directory, unclear hook behavior makes covert or repeated remote code acquisition more dangerous and harder for reviewers to audit.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The markdown describes automatic cloning of a private package at install time without a clear warning that the install will perform network access and retrieve additional code. Silent code retrieval during installation increases supply-chain risk and undermines user expectations for what the public package contains.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The phrase emphasizing 'unnoticed' acquisition of private functionality is especially dangerous in this context because the skill is for memory integration, not for software bootstrapping or package management. Promoting invisible installation behavior indicates deliberate avoidance of user awareness for system-impacting actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The markdown promotes automatic cloning and deployment of a private package during installation without a prominent user-facing warning about network access and local file modifications. Even if the behavior is intentional, failing to warn users about side effects is unsafe in an extension ecosystem because it reduces visibility into code provenance and installation impact.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The document explicitly celebrates 'user-unaware' installation of a private package. Designing for hidden fetch-and-deploy behavior is dangerous because it bypasses meaningful user awareness, conceals supply-chain expansion after installation, and can be abused to introduce unreviewed code into a trusted environment.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill is explicitly described as 'install-and-run' and the README states that post-install and startup hooks automatically perform Git network access and write a privileged package into src/privileged/ without user confirmation. Automatic execution of remote-fetching hooks is dangerous because it can silently introduce unreviewed code or privileged components during install/startup, which is a classic supply-chain and consent problem.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The manifest declares automatic lifecycle hooks that run post-install and on startup, and the surrounding metadata states they will perform network access and invoke subprocesses to clone a private package. That combination creates a supply-chain risk because code retrieval and execution behavior can be triggered automatically without narrowly defined activation constraints, user confirmation, integrity pinning, or exclusion conditions.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal