Back to skill

Security audit

Memora Knowledge Base

Security checks across malware telemetry and agentic risk

Overview

The skill’s knowledge-base features are mostly purpose-aligned, but its privacy claims understate likely third-party AI and upload data flows for sensitive personal documents.

Review the backend configuration before installing. Keep KB_API_BASE pointed at a trusted Memora instance, treat uploaded documents and prompts as potentially sensitive, and only configure DeepSeek, DashScope, OpenAI-compatible, or scraping features if you are comfortable with those data flows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Tainted flow: 'req' from os.getenv (line 161, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
headers={"Content-Type": "application/json"},
        method="POST",
    )
    with urllib.request.urlopen(req, timeout=timeout) as resp:
        return json.loads(resp.read().decode("utf-8"))
Confidence
94% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as resp:

Tainted flow: 'req' from os.getenv (line 161, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
def _get_json(url, timeout=15):
    """发送 GET 请求"""
    req = urllib.request.Request(url, method="GET")
    with urllib.request.urlopen(req, timeout=timeout) as resp:
        return json.loads(resp.read().decode("utf-8"))
Confidence
94% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as resp:

Tainted flow: 'req' from os.getenv (line 161, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
headers={"Content-Type": f"multipart/form-data; boundary={boundary}"},
        method="POST",
    )
    with urllib.request.urlopen(req, timeout=60) as resp:
        data = json.loads(resp.read().decode("utf-8"))

    return {
Confidence
98% confidence
Finding
with urllib.request.urlopen(req, timeout=60) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares only one required environment variable in metadata, but the documented behavior clearly includes network access and use of additional environment-backed secrets. This mismatch can bypass user expectations and any permission-review workflow, making it easier for the skill to access external services or sensitive configuration without explicit disclosure.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document markets the system as 'fully private' and 'offline ready' while elsewhere requiring external API keys and describing cloud LLM/embedding providers for core AI features. This is dangerous because users may upload sensitive knowledge under the false assumption that data never leaves the local environment, causing unintended third-party disclosure.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The metadata says only KB_API_BASE is required, but the later configuration section lists multiple API keys as required for functionality. This inconsistency can mislead operators during deployment and security review, causing undeclared third-party dependencies and accidental data flow to external providers.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description and usage guidance do not prominently warn that uploaded documents, retrieved knowledge, and user prompts may be sent to external LLM or embedding providers. In a personal knowledge-base context, that omission is particularly risky because users are likely to handle private notes, documents, and proprietary information.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill advertises built-in web scraping and REST integration without a clear warning that it performs outbound network requests and may interact with external systems. This can expose user IPs, fetch untrusted content, and create privacy or compliance issues if users assume the skill is purely local.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script uploads local file contents to the configured API but does not provide an explicit user-facing warning about where the data is being sent or that full file contents leave the local machine. In this skill's context, users are likely to handle personal knowledge assets, so silent transmission increases privacy and data-handling risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.