Back to skill

Security audit

codex-agentmemory-windows

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Windows setup and repair skill for agentmemory, but it grants broad persistent hook, credential, service-restart, and memory-export authority that users should review before installing.

Install only if you want Codex activity persisted into agentmemory. Run dry-run first, review changes to hooks.json and config.toml, keep the endpoint local or under your control, protect ~/.codex because it will contain the bearer secret, and avoid --restart-service unless you have confirmed ports 3111 and 3113 belong to agentmemory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
results = []
    for event, entries in agent_hooks["hooks"].items():
        command = entries[0]["hooks"][0]["command"]
        proc = subprocess.run(
            ["powershell.exe", "-NoProfile", "-Command", command],
            input=payload,
            text=True,
Confidence
93% confidence
Finding
proc = subprocess.run( ["powershell.exe", "-NoProfile", "-Command", command], input=payload, text=True, stdout=subprocess.PIPE, stde

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manual workflow instructs the user to place AGENTMEMORY_SECRET directly into agentmemory-hook.cmd, which stores a credential in plaintext on disk and makes it accessible to local users, backups, logs, and accidental disclosure during troubleshooting. Embedding secrets in wrapper scripts also increases the risk that the secret is propagated into copied configs or command-history artifacts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The injected hook code sends prompt text, project identifiers, file paths, and contextual memory data to a local or configured REST service without any user-facing disclosure or consent flow in this file. In this skill's context, that behavior is central to 'agent memory' integration, which increases sensitivity because it persistently exports developer activity and prompts that may contain secrets or proprietary code.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script automatically reads `AGENTMEMORY_SECRET` from `~/.agentmemory/.env` and Codex config, then uses it for authenticated API requests without requiring explicit user acknowledgement. In a skill intended to modify hooks, services, and graph state, silent credential harvesting from local files increases the blast radius if the script is run unexpectedly or repurposed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The backfill workflow exports observations and graph data, reconstructs graph nodes and edges, and posts the resulting dataset back to the configured agentmemory URL with no explicit warning at the point of transmission. Because the URL is configurable and defaults to plain HTTP localhost, this can expose sensitive observation content to an unintended endpoint or unencrypted local interception if misconfigured.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The restart routine forcibly terminates any processes listening on ports 3111 and 3113, then starts `agentmemory.cmd` from `%APPDATA%\npm` without verifying process identity or warning the user. In this skill context, that can disrupt unrelated applications using those ports or execute an unexpected binary if the npm shim path has been replaced or hijacked.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.potential_exfiltration

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/configure_agentmemory_windows.py:30

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
scripts/configure_agentmemory_windows.py:326