Back to skill

Security audit

Memory Focal System

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real memory-management tool, but it automatically stores and reuses conversation-derived content and may send memory text to external model APIs without enough consent and data-handling clarity.

Review this carefully before installing. Use it only if you deliberately want persistent local memory, disable automatic writing or external auto-tagging unless you have opted in, avoid storing secrets or confidential content, and regularly inspect and delete the memory files it creates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation describes persistent reading and writing of local memory files, but the metadata does not declare corresponding permissions. This creates a transparency and consent problem: users and hosting platforms cannot accurately assess that the skill can access and persist conversation-derived data in the local workspace.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The declared purpose focuses on memory optimization and token savings, but the documented behavior includes persistent storage of user messages and modification of workspace files. This mismatch is dangerous because users may enable the skill for context optimization without realizing it performs long-term data collection and local state changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly advertises automatic detection, loading, writing, and tagging of user memory, but gives no privacy notice, consent flow, retention guidance, or warning about sensitive data capture. In a memory-management skill, this increases the risk of silently storing personal, behavioral, or confidential information beyond user expectations, which can lead to privacy harm or accidental disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill says it automatically classifies, loads, and writes memories, but it does not present a prominent warning that data will be persistently stored and may later be archived or deleted. For a memory system handling user conversations, silent automatic retention and deletion can lead to privacy, compliance, and user-expectation failures.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The LLM auto-tagging feature states that it calls external model APIs but does not clearly warn that memory text derived from user conversations may be transmitted to third-party services. This can expose sensitive personal data outside the local environment without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill persistently writes raw user messages to local JSONL/index files with auto-write enabled and no visible consent, notice, minimization, or sensitivity filtering. In a memory-management skill, users are especially likely to provide preferences, rules, schedules, and other personal context, so silent persistence increases privacy and data-retention risk if the host, other skills, or local users can read these files.

Ssd 3

Medium
Confidence
95% confidence
Finding
The module stores full raw user messages and later reloads top memories from buffer.jsonl, creating a durable path for sensitive natural-language content to be retained and resurfaced in future contexts. Because the system is explicitly designed for memory reuse, secrets, personal data, or unsafe instructions supplied once may be reintroduced later without renewed user intent or awareness.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.