ClawHub

Memory System Complete

Security checks across malware telemetry and agentic risk

Overview

This is a local memory database skill with some documentation and privacy caveats, but I found no artifact-backed deception, exfiltration, credential access, or destructive behavior.

Install only if you are comfortable with a local persistent memory database. Keep Ollama configured to localhost for sensitive data, back up the database before running verification or relation-detection workflows, and avoid storing secrets unless you add your own retention and access controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The release notes contain contradictory statements about whether sample or test data is automatically created. In a memory system handling potentially sensitive user data, this inconsistency can mislead users about initialization behavior, creating privacy, data-contamination, and trust risks if example records are inserted unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill scope expands into broad factor inference and genetic-neuron simulation capabilities that are unrelated to core memory storage and retrieval. Such scope creep increases attack surface, complicates review, and makes it easier to hide risky processing behind a benign memory-management label.

Intent-Code Divergence

High
Confidence
91% confidence
Finding
The documentation claims all memory data remains local and is not uploaded, yet it also advertises multi-query network search and local model service connectivity. This contradiction can mislead users about data exposure and may cause sensitive memory contents or derived queries to leave the local environment unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script is presented as an automatic relation detector, but its main workflow both infers and immediately persists new relations into the SQLite database. In a memory system, silent writes based on weak heuristics can corrupt or poison stored knowledge, create inaccurate links at scale, and make downstream reasoning depend on unreviewed generated data.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The embedding helper transmits arbitrary input text to an HTTP service at the configured Ollama endpoint. Even though the default target is localhost, this still exports potentially sensitive memory content outside the core process boundary and the base_url is configurable, so the data could be sent to a remote host without additional safeguards or disclosure.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Semantic search iterates over stored memories and sends each memory's title and content to the embedding service for processing. This broadens exposure from user queries to the entire memory corpus, which is risky if the memory store contains secrets, personal data, or proprietary information, especially because the endpoint may be reconfigured away from localhost.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
This module does more than infer mental state in memory: it opens a shared SQLite database and creates persistent tables for beliefs, intents, and emotions. In a memory-system skill, persistent storage may be expected, but storing user-model data on disk increases privacy and retention risk if users are not informed, data is over-retained, or the database is accessible to other components.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script is labeled as an installation verification tool, but it performs real save, update, and delete operations against the live memory database. Even though it deletes the test record afterward, verification scripts should not mutate production data because failures, crashes, or unexpected side effects in the underlying module can leave residual data or trigger unintended automation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document advertises Theory of Mind, emotion detection, intent inference, and memory retrieval capabilities that can process highly sensitive personal and behavioral data, but it provides no warning, consent notice, data handling limits, or privacy guidance. In a memory-system skill, this omission increases the chance that deployers will collect or infer personal attributes without appropriate transparency or safeguards, creating privacy, compliance, and misuse risks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document describes persistent storage of memories, retrieval history, ingestion cache, and deep research data, but provides no privacy notice, retention policy, consent guidance, or warnings about sensitive data handling. In a memory-system skill, these features can accumulate personal or confidential information over time, increasing the risk of unintended collection, over-retention, and privacy harm.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README instructs users to initialize and force-reinitialize the local database but does not clearly warn that these operations can modify, overwrite, or destroy persisted memory data. In a skill centered on long-term memory storage, omission of data-loss warnings increases the chance of accidental destructive actions by users or agents following setup/troubleshooting steps.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The manager automatically inserts detected relations into the database without user confirmation, warning, or review, even though detection is based on simple keyword and similarity matching. In this skill context, that is more dangerous because the component operates on a persistent memory store, so erroneous or adversarially crafted memory content can cause durable data poisoning and relationship inflation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
When configured with use_ollama, the system sends memory content and search queries to an external HTTP embedding service without any explicit consent, disclosure, or transport-security guarantees. Because this module manages potentially sensitive memory data, silent network transmission can leak private information to another process, host, or intercepted channel.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code sends text content to a local HTTP service without any explicit warning, consent flow, or policy check. Users or operators may reasonably assume memory content stays within the memory system, but this implementation forwards it to another service, creating an information exposure risk and an auditability gap.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The emotion detection path stores raw user text as the 'cause' in the local database, which can include sensitive personal data. Because this is persisted without any visible disclosure, minimization, or protection in the code, compromise of the database or unintended reuse by other modules could expose private user content.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Belief updates persist user-related attributes such as entity, belief type, content, confidence, and evidence to disk. In the context of a memory system, this behavior is plausible, but without notice, consent, minimization, or lifecycle controls it creates a privacy vulnerability through silent profiling and long-term retention of user data.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The test routine performs real state-changing operations against the configured memory system by saving, searching, retrieving, and deleting a record. In a memory/knowledge system skill, this is more sensitive because running installation verification can modify a live datastore, trigger side effects, or leave residual data if cleanup fails, all without explicit opt-in or isolation.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal