Memorius is a local-first memory vault for AI agents. This document outlines security considerations, known vulnerabilities, and remediation plans.
In typical deployments, Memorius runs locally with:
- REST API bound to
127.0.0.1(no remote access) - MCP server over stdin/stdout (no network exposure)
- Shared vault accessible to multiple agents
| Vector | Risk Level | Description |
|---|---|---|
| Memory Poisoning | Critical | Malicious content stored via one agent affects other agents |
| Context Injection | Critical | Stored memories injected into LLM context without trust boundaries |
| Command Injection | High | Hook templates could execute arbitrary commands |
| Data Poisoning | High | False memories corrupt fact-checking results |
| Auth Bypass | High | REST API accessible without authentication by default |
- Location:
memorius/context_inject.py:28-76 - Issue: Memory content injected directly into LLM context without sanitization
- Fix: Add content boundary markers (
[MEMORY CONTENT START]...[MEMORY CONTENT END])
- Location:
memorius/llm_extract.py:36-69 - Issue: User-provided conversation text concatenated into extraction prompt
- Fix: Sanitize conversation text before extraction
- Location:
memorius/hooks/engine.py:449-478 - Issue: Context values substituted into commands without validation
- Fix: Validate context values for shell metacharacters
- Location:
memorius/factcheck.py:89-167 - Issue: False memories can corrupt fact-checking results
- Fix: Implement trust scoring based on memory provenance
- Location:
memorius/context_inject.py:91-96 - Issue: Memory content injected into system prompts without marking as untrusted
- Fix: Mark memory content as
[UNTRUSTED USER CONTENT]
- Location:
memorius/hooks/engine.py:527-532 - Issue: Simple string replacement without validation
- Fix: Escape template-like patterns in context values
-
Enable Authentication
export MEMORIUS_API_KEY="your-secure-key" memorius serve-rest
-
Use Per-Agent Vaults
memorius store "sensitive data" --vault agent-specific -
Review Stored Memories
memorius ls --vault main memorius search "suspicious content" -
Monitor Logs
# Check for injection attempts grep -i "ignore.*instructions" ~/.memorius/data/
-
Never Trust Memory Content
# Always mark memory content as untrusted content = f"[UNTRUSTED]\n{memory.content}\n[/UNTRUSTED]"
-
Validate All Inputs
# Use the validation helpers from memorius.vault import _validate_name vault = _validate_name(user_input, "vault")
-
Sanitize for LLM Context
# Escape potential injection markers content = content.replace("[", "\\[").replace("]", "\\]")
-
Implement Trust Scoring
def calculate_trust(memory): score = 0.5 # Base score if memory.metadata.get("source") == "conversation": score += 0.2 if memory.metadata.get("extraction_method") == "llm": score -= 0.1 return score
If you discover a security vulnerability, please report it responsibly:
- Do NOT open a public GitHub issue
- Email: dimona.patrick@gmail.com
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Added API key authentication for REST API
- Added input validation for MCP and REST endpoints
- Added name validation to prevent path traversal
- Added SSRF protection for webhook actions
- Added command injection prevention via
shlex.split()
- Basic security features
- Local-only binding default
- Parameterized SQL queries
- Safe YAML loading