Trust Assessment
agent-memory-mcp received a trust score of 38/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 1 critical, 1 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Untrusted External Repository Clone.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Untrusted External Repository Clone The skill instructs the user to clone a repository from an external GitHub URL (`https://github.com/webzler/agentMemory.git`). This introduces a significant supply chain risk, as the integrity and security of the `webzler/agentMemory` repository cannot be guaranteed. A compromised or malicious repository could introduce arbitrary code into the agent's environment. Avoid direct cloning of untrusted external repositories. If absolutely necessary, implement robust verification mechanisms (e.g., cryptographic signatures, checksums) for the cloned content. Consider vendoring critical dependencies or using trusted package registries. | Static | SKILL.md:16 | |
| HIGH | Potential Command Injection via `npm run` arguments The `npm run start-server` and `npm run start-dashboard` commands instruct the user to pass arbitrary strings (`<project_id>`, `<absolute_path_to_target_workspace>`) as arguments. If the underlying Node.js scripts (defined in `package.json` and executed by `npm run`) do not properly sanitize these user-provided arguments before using them in shell commands (e.g., via `child_process.exec` or similar), it could lead to command injection. An attacker could craft a malicious path or project ID to execute arbitrary commands on the host system. The underlying Node.js scripts must rigorously sanitize all user-provided arguments before incorporating them into any shell commands. Prefer using APIs that avoid shell interpretation (e.g., `child_process.spawn` with an array of arguments) or escape special characters appropriately. | Static | SKILL.md:27 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Broad Filesystem Access Implied by 'Target Workspace' The skill's functionality is described as operating on a `<absolute_path_to_target_workspace>` and syncing with 'project documentation'. This implies that the skill, once running, will have broad read and write access to the specified workspace directory and its contents. While necessary for its stated purpose, this broad access scope, especially when combined with the supply chain risk, could allow a malicious skill to read, modify, or delete sensitive project files. Implement the principle of least privilege. If possible, restrict the skill's filesystem access to only the necessary subdirectories or file types within the target workspace. Clearly document the exact permissions required and the implications of granting them. Consider sandboxing or containerization for skills requiring broad filesystem access. | Static | SKILL.md:27 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/60ef54cff841d722)
Powered by SkillShield