PLUR1BUS Memory

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate memory plugin, but it can automatically store chat content long term and send derived text to configured AI providers, so it needs careful review before installation.

Install only if you want this plugin to retain conversation memory. Before enabling it in a sensitive workspace, consider setting autoCapture=false, using a local embedding provider where possible, disabling optional LLM merging/curation unless needed, keeping the Obsidian bridge disabled until configured deliberately, and reviewing or backing up KNOWLEDGE.md before using knowledge_update.

Publisher note

PLUR1BUS is a memory plugin. It intentionally reads local workspace memory files, writes LanceDB/Obsidian memory artifacts, and calls configured embedding/reranker providers only when the operator config enables those providers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The function's behavior contradicts the surrounding security contract: comments state helpers should throw on invalid input, but safeUuidList silently drops malformed IDs and may return null. In code that relies on this helper for SQL safety or authorization-sensitive deletion/filtering, silent filtering can turn invalid or attacker-controlled input into broader-than-intended queries, skipped validation, or logic bypasses rather than a hard failure.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The manifest for a memory skill declares an Obsidian bridge that can write files, watch workspaces, and run scheduled review workflows, which materially expands capability beyond the advertised memory tool contract. This creates a dangerous mismatch between declared purpose and effective authority: a consumer enabling a memory plugin may unintentionally grant filesystem mutation and automated background actions, increasing the risk of unauthorized data modification or exfiltration through note synchronization paths.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The auto-capture hook persistently stores user and assistant conversation content, including URLs, attachments stubs, and potentially sensitive details, into long-term memory without any visible consent or notice in this file. In a chat-agent context, this creates a substantial privacy risk because secrets, personal data, and internal operational details may be retained far beyond the user's expectation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code sends conversation-derived text to external LLM providers for summarization and later curation, but there is no visible user-facing disclosure or consent gate here. Because this text can include sensitive facts, configuration values, and private context, external transmission materially increases exposure beyond local storage.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The knowledge_update tool can modify workspace files automatically and durably by writing KNOWLEDGE.md, yet there is no confirmation or preview requirement before file modification in the shown implementation. In a shared workspace context, this can unexpectedly alter project artifacts, persist hallucinated or sensitive material, and affect collaborators.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The manifest exposes tools for storing, recalling, and forgetting memory while also allowing configuration of external embedding providers and API endpoints, yet it gives no user-facing warning that data may be persisted, deleted, or transmitted to third-party services. This omission can lead to unsafe deployment decisions, privacy violations, and accidental routing of sensitive conversation data to external providers.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The tool description explicitly encourages proactive long-term retention of user-provided preferences, facts, and decisions. In this memory-agent context, such natural-language guidance steers the model toward collecting and persisting more personal or sensitive data than a user may expect, increasing privacy and over-retention risk.

Ssd 3

High

Confidence: 97% confidence
Finding: The auto-capture implementation broadly collects conversation content and preserves specific names, URLs, dates, technical details, and configuration values, including assistant output. In a memory plugin, this context makes the behavior especially dangerous because it can silently accumulate credentials, internal endpoints, operational details, and other sensitive content into durable storage and later retrieval prompts.

Ssd 3

Medium

Confidence: 88% confidence
Finding: The curation prompt tells the model to integrate pending memories into a durable KNOWLEDGE.md file, effectively promoting transient captured data into long-lived project knowledge. If pending memories contain sensitive, inaccurate, or context-specific content, this can institutionalize it in a shared workspace and amplify downstream misuse.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal