ClawHub

Auto Memory

Security checks across malware telemetry and agentic risk

Overview

This skill openly provides permanent Autonomys-backed agent memory, but users must treat anything saved as public and effectively irreversible.

Install only if you intentionally want agent memory or files stored on Autonomys in a permanent, public-by-default way. Do not upload API keys, tokens, private keys, personal data, regulated data, confidential documents, or conversation history you may later need deleted unless you have minimized and encrypted it first. Review the exact content and CID before saving or restoring a chain.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to run shell scripts (`chmod`, `scripts/*.sh`, `npx tsx`) and depends on binaries like `curl`, `jq`, and `file`, yet it does not declare permissions for shell execution. This creates a trust and policy gap: an agent framework may expose shell capabilities without presenting an appropriate consent boundary, increasing the chance of unintended command execution against local files or environment variables.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation presents a misleading security property: it states that CIDs are permanent and data cannot be deleted, while also advertising delete and restore operations for objects. Even if deletion only affects object references or account visibility rather than underlying DSN availability, this ambiguity can cause agents or users to store sensitive data under the false assumption that later deletion semantics are well understood, leading to irreversible exposure.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger conditions are broad enough to match common conversational requests such as 'remember this permanently', 'save memory', 'checkpoint', or 'load history'. In this skill's context, such matches can cause an agent to invoke permanent public storage or reconstruct prior context unexpectedly, which is materially riskier than a benign skill because the action is irreversible and may expose sensitive data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages uploading arbitrary files and saving 'identity, decisions, and context' before prominently warning that storage is permanent and public. In context, this is especially dangerous because users may treat 'memory' as private agent state, while the skill writes it to immutable decentralized storage where sensitive content cannot be revoked once disclosed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The reference describes public gateway access, publish operations, permanent CIDs, and non-deletable storage without a strong warning against uploading secrets, personal data, or revocable-only information. In the context of an agent memory skill that stores decisions, identity, and context, this is especially dangerous because agents may persist highly sensitive state to effectively irreversible public-addressable storage, causing long-term confidentiality and privacy loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation promotes permanent decentralized storage and easy API-key-based uploads/downloads, but omits an explicit warning that uploaded data is effectively irreversible and may be publicly retrievable or broadly replicated forever. In the context of an agent memory skill, this is especially dangerous because agents may store sensitive prompts, identities, decisions, credentials, or user data, creating a high risk of irreversible privacy leakage and compliance violations.

Missing User Warnings

Low
Confidence
90% confidence
Finding
Referencing AUTO_DRIVE_API_KEY without secure-handling guidance can lead operators or downstream agents to expose the credential in logs, prompts, repositories, or persisted memory. In this skill's context, that risk is amplified because the same system is designed to permanently store agent state, so accidental secret persistence could become effectively undeletable.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly encourages storing arbitrary agent memories, decisions, file snapshots, and full history on permanent decentralized storage and even on-chain registries, but it does not warn that this data may be public, irreversible, and unsuitable for secrets, personal data, credentials, or regulated information. In an agent-memory context, this is especially dangerous because agents may automatically persist sensitive context, making confidentiality loss effectively permanent and amplifying downstream privacy, compliance, and secret-exposure risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script uploads the provided memory payload to a remote storage service via a helper script, but at the point of transmission it does not emit a clear runtime disclosure or confirmation describing what data is being sent. In an agent-memory skill, the input may contain sensitive prompts, decisions, credentials, or user context, so silent exfiltration to a third-party service materially increases confidentiality risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script prompts for a sensitive API key and then saves it to local configuration files, but the user-facing flow does not clearly disclose that the credential will be persisted on disk in plaintext-like form. This increases the risk of accidental credential exposure through local file compromise, backups, shared accounts, or permissive file permissions, especially because the skill is explicitly designed for long-lived automated use.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal