ClawHub

Super Brain

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for local long-term memory, but it also enables always-on profiling and persistent future-session behavior changes that users should review carefully.

Install only if you intentionally want always-on local memory that profiles conversations, preferences, mood, projects, reminders, and decision history. Review or remove the TOOLS.md startup block if you do not want automatic activation, avoid sharing secrets with this skill, and use it cautiously on shared machines or workspaces.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (42)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
A memory/personalization skill expands into general multi-agent execution and orchestration, which is a materially different trust boundary. This is risky because users enabling persistent memory may unintentionally also authorize task decomposition, coordination, and broader data sharing across agent contexts.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill introduces sub-agent spawning with a shared brain database mount, allowing multiple spawned runtimes to access the same persistent user data. This increases the attack surface and the chance of unauthorized propagation, misuse, or leakage of sensitive cross-session context beyond what a memory skill should require.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document reassures users that data stays local and is not uploaded to the cloud, yet elsewhere describes sharing the same database with spawned sub-agents. Even if technically local, this statement is misleading because it obscures intra-system data exposure and broadens access beyond the primary session.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The schema adds multi-agent tasking, shared outputs, and collaboration logging even though the skill is described as a long-term memory/personalization system. This expands the system's operational scope and creates new data-sharing and coordination surfaces that can enable unintended cross-context data flow, misuse of stored user context, or execution of capabilities users did not consent to.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The schema includes self-evolution logs, skill version history, performance metrics, and an improvement queue, which materially exceeds a memory-focused assistant and introduces infrastructure for behavioral change over time. In a skill handling persistent user data, this is dangerous because it enables system adaptation and capability growth without clear governance, review, or user awareness.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The self_evolution_log explicitly tracks prompt updates, skill creation, knowledge gain, and strategy changes, supporting autonomous self-modification beyond the stated purpose. This is dangerous because it creates a persistence layer for a system to justify, stage, and potentially apply new behavior or code-like changes, which can bypass expected trust boundaries and increase privilege or capability over time.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The maintenance routine deletes shared operational data such as agent outputs and access logs without consistently scoping the action to the supplied user_id. In a long-memory skill, these tables can contain cross-user or system audit information, so overbroad cleanup can destroy records needed for debugging, accountability, incident response, or tenant isolation.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The maintenance flow performs deletion before archiving, even though the script presents the operation as 'cleanup + archive + optimize'. This creates a data-loss condition where records eligible for archival are irreversibly removed before export, defeating retention expectations and potentially eliminating evidence or user history.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file defines a privacy rule claiming sensitive information should not be stored, but log_decision() persists user_id, full context, reasoning, and ethical_check data directly to SQLite. In a long-memory skill, this creates a strong risk of retaining secrets, personal data, and sensitive prompts despite the stated privacy protections.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The privacy rule's trigger_condition contains the sensitive patterns, but apply_constraint() looks for violation['action'].get('patterns', []) instead of the matched trigger patterns. As a result, detected secret-bearing content may be flagged yet left unchanged, causing the system to believe filtering occurred when sensitive text remains intact.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The installer injects persistent startup instructions into TOOLS.md that direct every future session to read USER_ID from the environment and query a local profile database. In the context of a memory/personalization skill, this creates undisclosed cross-session data access and conditions the agent to automatically surface profile data at session start, which increases privacy risk and weakens user consent boundaries.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The design explicitly defines persistent storage of user profiles, projects, reminders, and conversation-derived insights across sessions, but provides no notice, consent flow, retention limits, or privacy safeguards. This creates a real privacy/security risk because sensitive user data can be accumulated and reused indefinitely without the user's informed awareness.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The schema includes emotion, preference, technical-level, decision-pattern, and behavioral profiling fields, which are sensitive in aggregate and can enable invasive personalization or manipulation if misused. The danger is elevated because the design normalizes inferring these traits automatically from routine conversations without any disclosure, validation, or user control.

Vague Triggers

High
Confidence
97% confidence
Finding
The automatic trigger conditions are extremely broad, causing the skill to activate during ordinary conversation without a specific user request. In context, activation leads to loading prior user data and enabling persistent collection, so overbroad triggering directly increases the likelihood of non-consensual surveillance-like behavior.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill mandates persistent storage of conversation-derived user data before handling messages, but does not require a clear warning or consent step before activation. Because the stored data includes profile, projects, patterns, and reminders, this creates a significant privacy risk and weakens user autonomy.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples normalize creating persistent user profiles, storing insights, and using that data across sessions without showing any notice, consent, retention limits, or user controls. In a memory-oriented skill this creates a real privacy and expectation mismatch risk, because users may not realize their prior conversations are being retained and reused later.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The proactive reminder flow causes the assistant to bring up prior user statements unprompted once a trigger time passes, but the example does not show explicit opt-in for reminders or prior notice that automated follow-up will occur. This can surface sensitive past context unexpectedly, especially in shared devices, multi-user environments, or when the user no longer expects that topic to be remembered.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow explicitly loads and updates user profiles, reminders, project context, and response patterns across sessions, but it does not describe any user notice, consent, or control over that persistence. This creates a privacy and profiling risk because users may be unaware that behavioral and preference data is being retained and reused in later interactions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The cron workflow performs automated background summarization of all conversations, pattern analysis, and reminder generation without any indication that users are informed or have agreed to such processing. Background processing increases privacy risk because it extends data use beyond the immediate conversation and can create secondary inferences about the user.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script executes irreversible DELETE operations immediately once invoked, with no confirmation prompt, dry-run default, or explicit warning about scope. In a persistent-memory system, this increases the chance of accidental destruction of user history and operational records through misuse, scripting mistakes, or wrong user identifiers.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Archived database rows are exported to compressed JSON files on disk without any visible disclosure, consent flow, or protection controls. Because this skill handles long-term memory and personalized history, silent export expands the exposure surface for sensitive data beyond the database into filesystem artifacts that may be less protected or overlooked.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Decision trace logging writes user-linked context and reasoning to disk with no evidence in this file of notice, consent, or opt-in. In a system intended to remember users across sessions, undisclosed persistence increases privacy and compliance risk and can expose sensitive conversational history to local compromise or later misuse.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script modifies the user's workspace TOOLS.md without prior disclosure, confirmation, or a scoped installation location. Persistently altering a file that can influence future agent behavior is security-sensitive because it changes session instructions and can establish hidden persistence without informed user consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code stores full conversation content to persistent local memory via ChromaDB or SQLite without any consent check, notice, retention control, or minimization in this execution path. In the context of a long-term memory skill that explicitly remembers users across sessions, this can capture sensitive personal data and create privacy and compliance risk if the host machine, database, or logs are accessed by another party.

Ssd 3

Medium
Confidence
97% confidence
Finding
The core positioning explicitly states that the system should remember service experience across sessions and continuously evolve based on user interactions. Persisting and reusing broad conversational history without clear boundaries, consent, or minimization creates a real data governance and privacy vulnerability, especially if the stored history contains sensitive personal or project information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal