Security Audit
agent-memory-mcp
github.com/sickn33/antigravity-awesome-skillsTrust Assessment
agent-memory-mcp received a trust score of 33/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include External Repository Clone and Dependency Installation, Potential Command Injection via `npm run` arguments, Broad Filesystem Access to Target Workspace.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | External Repository Clone and Dependency Installation The skill instructs the agent to clone a repository from an external GitHub URL (`https://github.com/webzler/agentMemory.git`) and then run `npm install`. This introduces a significant supply chain risk as the contents of this external repository and its dependencies are not controlled by the primary skill provider. Malicious code could be introduced through the cloned repository or its transitive dependencies, potentially leading to arbitrary code execution or data exfiltration. Vendor the `agentMemory` code directly into the skill's repository. If external dependencies are necessary, ensure they are pinned to specific versions (e.g., via `package-lock.json` or `yarn.lock`) and consider using dependency auditing tools. | Static | SKILL.md:17 | |
| HIGH | Potential Command Injection via `npm run` arguments The skill instructs the agent to execute `npm run start-server` and `npm run start-dashboard` with user-provided arguments (`<project_id>`, `<absolute_path_to_target_workspace>`). If the underlying `npm` scripts (defined in the `package.json` of the `agentMemory` project, which is external) do not properly sanitize or escape these arguments before using them in shell commands, an attacker could inject arbitrary commands. For example, passing a malicious string like `'; rm -rf /'` as a path argument could lead to critical system compromise. Ensure that the `npm` scripts for `start-server` and `start-dashboard` (within the `agentMemory` project) properly sanitize and escape all user-provided arguments before using them in shell commands. Prefer passing arguments as environment variables or using libraries that handle argument parsing securely. | Static | SKILL.md:29 | |
| MEDIUM | Broad Filesystem Access to Target Workspace The skill is designed to operate on an `absolute_path_to_target_workspace`, implying it has broad read/write access to all files within that directory. While necessary for its stated purpose ("syncs with project documentation"), this grants significant permissions. If the skill or its underlying `agentMemory` server is compromised (e.g., via command injection or a malicious dependency), an attacker could gain full control over the specified workspace, leading to data modification, deletion, or exfiltration. Implement strict sandboxing or least-privilege principles for the `agentMemory` server process. Restrict its filesystem access to only the necessary subdirectories or file types within the target workspace. Consider using containerization or virtual environments to isolate the skill's operations. | Static | SKILL.md:29 |
Scan History
Embed Code
[](https://skillshield.io/report/031a4c87d22e7cb7)
Powered by SkillShield