Back to skill

Security audit

Llm Memory V9

Security checks across malware telemetry and agentic risk

Overview

This skill is local-only and purpose-aligned, but it needs Review because its postinstall hook can automatically link or copy private local files into the skill workspace while the permission metadata underreports that access.

Install only after reviewing what CNB_PRIVATE_WORKSPACE points to. Use a dedicated minimal directory, do not include secrets or broad personal folders, and consider using a temporary environment variable or --no-hooks if you do not want install-time linking or copying of private files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Scope Creep

Medium
Confidence
93% confidence
Finding
The manifest declares no filesystem read/write permissions, yet the documented postinstall hook links a private configuration directory from a local path into the workspace. This is a security-relevant filesystem operation and can expose sensitive local files or configuration into a broader workspace context while bypassing permission transparency expected by users and tooling.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The security metadata claims system reads are not performed, but the package description and hook behavior indicate reading a local path from an environment variable to access private workspace configuration. This mismatch can mislead reviewers and automated policy enforcement, causing the skill to be trusted or installed under false assumptions while still touching sensitive local resources.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly describes a postinstall hook that automatically links user-controlled private files into the skill workspace, but it does not clearly warn that this expands the data exposure boundary of the installed skill. In an agent-skill context, linking AGENTS.md, TOOLS.md, MEMORY.md, or config files into the workspace can materially influence agent behavior and expose sensitive local content to downstream tooling or prompts.

Session Persistence

Medium
Category
Rogue Agent
Content
### 1. 准备私有配置目录

```bash
mkdir -p ~/my-private-config
# 将你的私有文件放入此目录
```
Confidence
80% confidence
Finding
mkdir -p ~/my-private-config # 将你的私有文件放入此目录 ``` ### 2. 设置环境变量 ```bash # 临时设置(当前会话) export CNB_PRIVATE_WORKSPACE="~/my-private-config" # 永久设置(添加到 ~/.bashrc 或 ~/.zshrc) echo 'export CNB_PRIVATE_WORKS

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.