ClawHub

Memory Complete

Security checks across malware telemetry and agentic risk

Overview

This is a local memory database skill with expected persistence; I found no exfiltration, destructive behavior, credential theft, or hidden execution.

Install only if you want a local persistent memory database. Avoid storing passwords, secrets, regulated data, or private conversations unless you are comfortable with them being retained locally, and review the database path plus cleanup/deletion process before relying on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises optional network-capable behavior via Ollama HTTP access and multi-platform integrations, but does not declare corresponding permissions or clearly bound when network access occurs. Hidden or undocumented network capability weakens user consent and review, especially in a memory system that may process sensitive conversational and behavioral data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The declared purpose is a memory system, but the documentation describes broader surveillance/security-adjacent capabilities such as vulnerability findings, OSINT intelligence, attack chains, tool registration, platform message ingestion, and external embedding calls. This scope expansion increases risk because operators may enable or trust the skill for benign memory use while it handles significantly more sensitive data and higher-risk functions than disclosed.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This memory skill creates database tables for security scans, vulnerability findings, OSINT intelligence, and attack chains, which are unrelated to the stated purpose of a general memory system. Embedding offensive-security data structures into a broadly scoped memory component expands the skill's capability surface and can enable storage, organization, and later operational use of reconnaissance or attack planning data in contexts where such behavior is not expected or authorized.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The code provisions schema elements for reconnaissance and attack-chain tracking inside a memory skill, creating context-inappropriate offensive capability. Even without active scanning code in this file, these structures normalize and support collection of targeting data and exploit workflow artifacts, making misuse easier and harder to detect once integrated into an agent environment.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The schema creates tables for security scans, vulnerability findings, OSINT intelligence, and attack chains, which materially exceed the stated purpose of a 'memory system'. Even though this file only initializes a database and does not itself perform offensive actions, embedding this capability area into the skill broadens the system's scope and normalizes storage for potentially sensitive reconnaissance and exploitation data.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Including first-class support for security scanning, vulnerability tracking, OSINT, and attack-chain data in a skill presented as a memory system is a strong scope mismatch. In context, this can enable covert repurposing of the skill for reconnaissance or offensive planning, especially because the schema explicitly models targets, scan types, findings, and attack chains.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The verification script performs a write operation by inserting a test memory into the production database during what is presented as a validation step. This is dangerous because verification is expected to be non-destructive; unexpected writes can pollute data, trigger side effects, alter audit trails, and create integrity problems in a memory or security-oriented system.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
A script presented as installation verification performs a state-changing write by calling system.add_memory(...), which modifies the production database. This is dangerous because operators may run it expecting a read-only health check, causing unintended data pollution, side effects in downstream workflows, or triggering any write-time hooks implemented by the memory system.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises a memory system, diary-writing, and persistent storage backends (SQLite and LanceDB) but does not warn users that potentially sensitive prompts, diary entries, or inferred data may be stored locally. In an agent skill context, this can mislead operators into feeding personal or confidential content into a system that persists it by default, increasing privacy, retention, and accidental disclosure risk.

Missing User Warnings

Low
Confidence
80% confidence
Finding
Mentioning optional local embeddings without explaining how text is sent to the embedding component, what model runs, and what data is processed leaves users unable to assess privacy implications. Even when embeddings are local, users should know whether raw content, derived vectors, or metadata are retained and whether any external model downloads or network access occur.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill stores memories, diaries, beliefs, emotional inferences, and related context without presenting clear warnings about sensitive personal, behavioral, and inferential data retention. In a memory system, this omission is dangerous because users may unknowingly persist intimate or regulated data, expanding privacy, insider-risk, and breach impact.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persists episodic memory content to a local SQLite database with no consent flow, disclosure, minimization, or retention controls visible in this component. If the stored content includes user prompts, personal data, secrets, or internal system context, this creates a privacy and data-governance risk because sensitive information may be retained unexpectedly and later exposed through local compromise, debugging, backups, or secondary features that read the database.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The emotion detection path stores the full raw user text as the `cause` field in `tom_emotions`, which can capture sensitive personal data, secrets, or regulated information without any minimization, consent, retention control, or disclosure in this code path. In a memory system, persistent storage of free-form user input increases privacy risk because highly sensitive conversational content may be retained and later exposed through database compromise, debugging, backups, or unintended internal access.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal