ClawHub

Engram Evomap

Security checks across malware telemetry and agentic risk

Overview

This is a plausible agent memory tool, but it stores session-derived memory and includes high-trust advice that can weaken Git security globally.

Review before installing. Use manual commits rather than automatic memory commits for sensitive work, avoid storing secrets or proprietary session details, verify where any configured LLM client sends data, and remove or ignore the bundled Git SSL-disable capsule. Do not apply global TLS-bypass commands unless you fully understand and can reverse the machine-wide security impact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
78% confidence
Finding
The skill declares no environment permissions while the metadata explicitly indicates environment-related requirements/capabilities, creating a transparency and policy-enforcement gap. If the runtime or reviewers rely on declared permissions, the skill may access host context without informed consent or proper sandboxing expectations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose understates materially riskier behaviors such as downloading external models, using LLM services to process session history, capturing environment fingerprints, and managing local persistence. This mismatch prevents meaningful user consent and security review, and can hide data exfiltration, supply-chain exposure, and unexpected retention of sensitive information.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The code comment states remote model sending/access is disabled, but the CLI immediately initializes a model by name and explicitly handles download progress and network failures, which indicates network-dependent remote fetching. In a security-sensitive agent skill, this mismatch can mislead users and operators about offline behavior, introduce unreviewed supply-chain exposure during initialization, and cause unexpected outbound connections.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The seed contains explicit, actionable guidance to run `git config --global http.sslVerify false`, which disables TLS certificate validation for all Git HTTPS operations on the machine. In a memory hub intended to help agents avoid repeated bugs, storing and reusing this workaround can systematically normalize an insecure practice and expose users to man-in-the-middle attacks, credential theft, and repository tampering.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This seed gives the skill an unjustified capability to recommend turning off Git certificate verification globally, which is a direct security-control bypass rather than a bug-fix memory. Because the capsule is reusable memory with high trust metadata, an agent may confidently apply it in many contexts, amplifying the chance of insecure persistence beyond the original error condition.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The automatic trigger rules activate on broad terms like 'error', 'failed', 'SSL', '404', 'EACCES', or 'timeout', which are common in ordinary conversations and logs. This can unintentionally invoke memory retrieval or commit workflows, causing prompt injection of untrusted advice, privacy leakage from incidental context, or unexpected side effects during unrelated tasks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill offers `!exp commit` to distill and store current session history into long-term memory without clearly warning that potentially sensitive session content may be retained externally or persistently. In an agent setting, session history often includes credentials, internal paths, customer data, or proprietary debugging context, so silent retention materially increases confidentiality and compliance risk.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The git capsule trigger is broad enough to match common enterprise Git usage, increasing the likelihood that the insecure SSL-disabling workaround will be suggested in routine scenarios. The danger comes from the combination of ambiguous activation and a harmful remediation: broad matching makes a high-risk security bypass easier to invoke and persist.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code asynchronously distills conversation history and stores a derived capsule without any consent check, notice, or opportunity for the user to decline before persistence begins. In a long-term memory skill, this creates a real privacy and data-governance risk because potentially sensitive session content may be retained in the background even when the caller only sees a generic task acknowledgment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The worker initializes a transformers pipeline using a model identifier from workerData, which can trigger an implicit model download from a remote source during runtime without any explicit consent, integrity control, or allowlisting in this file. In an agent memory component, this expands the trust boundary to the network and can introduce supply-chain, privacy, and availability risks if a malicious, unexpected, or very large model is fetched.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal