Back to skill

Security audit

secure-memory-stack

Security checks across malware telemetry and agentic risk

Overview

This memory skill appears functional, but its privacy claims do not fit its documented Baidu embedding/API use and broad maintenance behavior.

Review this carefully before installing. Use it only if you are comfortable with memory content or search queries potentially being sent to Baidu for embeddings, and avoid storing secrets or highly sensitive notes unless you can verify a true offline mode. Treat backup and restore operations as high-impact and restore only from trusted backups.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (63)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises operational commands that invoke shell scripts and likely read environment-based API configuration, but it declares no permissions or capability scope. This creates a transparency and control gap: users or platforms may treat the skill as low-risk while it can execute local commands and access sensitive configuration during setup and maintenance.

Tp4

High
Category
MCP Tool Poisoning
Confidence
99% confidence
Finding
The documentation claims the system is fully local with zero data upload, yet the described behavior includes real Baidu Embedding API connectivity and testing, which can transmit user memory content or queries off-device. This mismatch is dangerous because users may entrust sensitive data under false privacy assumptions, while the skill also performs filesystem, permission, Git, cleanup, backup, restore, and automatic logging actions with broader side effects than disclosed.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The changelog makes strong privacy assurances such as 'zero data upload' and 'no network transmission' while also documenting Baidu Embedding API integration, which implies potential outbound data flow. Misleading privacy claims can cause users to expose sensitive memory data under false assumptions about locality and confidentiality.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
This is a direct documentation contradiction: the file advertises local-only privacy properties while also listing Baidu Embedding API integration as a feature. In a memory system marketed for privacy, this mismatch is especially dangerous because users may store highly sensitive notes believing nothing can leave the device.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The 'privacy first' section says data never leaves the user device and there is no cloud synchronization, but the same changelog describes Baidu Embedding API support. Because the skill handles persistent memory, such contradictory assurances can materially affect user trust, compliance decisions, and the handling of confidential information.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documentation claims the system is fully local, offline, and sends no data to external services, yet it also describes use of Baidu Embedding cloud APIs. This creates a material privacy and trust issue because users may input sensitive memory data under false assumptions that it never leaves the device.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
Describing the skill as a secure local-memory system is misleading when a core documented feature depends on a third-party cloud embedding service. In a memory/privacy tool, this mismatch is especially dangerous because users are likely to store passwords, meeting notes, or personal data based on the promise of local-only handling.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The later security section repeats guarantees that all data stays local and that there is no network transmission, directly contradicting the documented Baidu API integration. Such contradictory security assurances can cause unsafe use of the tool in high-sensitivity contexts where external transmission is prohibited.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The guide claims that all data is stored locally and that there is no risk of external data leakage, but elsewhere it requires use of Baidu Embedding APIs and network connectivity checks. That contradiction can mislead users into sending sensitive memory content, queries, or metadata to an external provider under a false privacy assumption, which is especially dangerous in a 'secure' memory skill.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documentation markets the system as local and privacy-preserving, but the quick start requires Baidu API credentials and therefore implies data leaves the local environment for embedding generation. This creates a misleading trust boundary that may cause users to store sensitive memory data under false assumptions about data locality and privacy.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The guide presents the stack as localized and privacy-focused while setup requires third-party API usage, without acknowledging the contradiction or documenting data-flow implications. In a memory system, this omission is more dangerous because users may place sensitive personal or operational information into the system believing it never leaves the host.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The README makes strong privacy and security claims such as 'fully local' and 'zero data upload' while also advertising Baidu Embedding-based semantic search, which typically requires sending query or content data to an external service. This mismatch can mislead users into exposing sensitive memory data under a false assumption of offline/local-only operation.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The security section promises 'no external transmission' and offline use, but the architecture and configuration sections describe reliance on Baidu API functionality for semantic search. Users relying on the security section may store confidential data believing it never leaves the device, creating a material privacy risk.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill is presented as a secure, local, privacy-preserving memory system, but the described Baidu Embedding integration is inconsistent with that scope because semantic processing likely depends on a third-party network service. In a memory-management context, this is especially sensitive because stored content may include secrets, decisions, credentials, or personal data.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The guide for a supposedly local, privacy-preserving memory system instructs users to inspect and set external-service credentials, which broadens the trust boundary and increases the chance of secret exposure. While not inherently malicious, presenting credential handling casually in documentation can lead users to leak API keys via shell history, logs, screenshots, or shared terminals.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The migration example reads stored content from another system and feeds it directly into a CLI command via subprocess without any validation, length limits, or safety checks. Even if `subprocess.run([...])` avoids shell metacharacter expansion, untrusted imported content may still trigger unsafe downstream behavior in the `secure-memory` CLI, cause argument-parsing edge cases, or import sensitive/poisoned data at scale.

Intent-Code Divergence

Low
Confidence
78% confidence
Finding
The documentation encourages inspecting environment variables and later generating diagnostics, which can expose sensitive configuration in a system marketed as secure and private. The issue is primarily operational leakage rather than direct code execution, but it weakens privacy guarantees and may mislead users into unsafe handling of secrets.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The health-check script probes unrelated skills and their whitelist markers outside the stated scope of a secure local memory system. This expands visibility into the broader environment and can disclose installed components or trust state, which is unnecessary for the advertised function and increases information exposure.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The script checks for external-service credentials even though the skill is described as privacy-focused and local. While it does not print secret values, it reveals dependency on external credentials and whether they are configured, which weakens the privacy expectation and may help an attacker profile the environment.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script invokes external helper scripts from fixed filesystem paths with the same privileges as the maintenance script, but performs no integrity, ownership, or existence checks before execution. If those helper scripts are modified, replaced, or unexpectedly unsafe, this script becomes a trusted launcher for arbitrary privileged code.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The restore path accepts a user-supplied directory and copies its contents directly into the live /root/clawd environment, including memory data and configuration files, without validating source trustworthiness or file contents. In a root-owned environment, this can overwrite operational data and plant attacker-controlled files that influence later behavior, making it a strong integrity and potential privilege-abuse risk.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
文档将系统宣传为“本地化”“确保数据隐私和安全”,但快速启动又要求配置百度 API 凭据并依赖百度 Embedding 服务,意味着数据或至少查询内容可能发送到第三方服务。这会误导用户对数据驻留、隐私边界和威胁模型的理解,导致其在错误前提下导入敏感记忆内容。

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The guide claims that all data is stored locally and that there is no risk of external data leakage, yet the documented design depends on Baidu Embedding APIs and API credentials. This can mislead users into sending sensitive memory content or queries to a third-party service under false privacy assumptions, creating a real confidentiality and compliance risk.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The documentation asserts 'no external data leakage risk' while the architecture requires external Baidu API use, which is a direct contradiction. In a memory system handling potentially sensitive user notes, this misrepresentation increases the chance that operators will deploy it for private data without understanding third-party exposure.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill advertises a local/private memory system, but it enables a Baidu embedding component that relies on external API credentials, which implies data may leave the local environment for embedding or related processing. This creates a misleading privacy boundary and can cause users to expose sensitive memory content under the false assumption that processing remains fully local.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.