ClawHub

Memory Graph

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent about building a persistent local memory graph, but it gives agents broad durable access to personal context and contains unsafe command and HTML handling that should be reviewed before installation.

Install only if you are comfortable letting agents create, read, and update a persistent personal memory folder at ~/memory. Do not store secrets or highly sensitive personal data in it without extra rules. Review or patch the shell execution and HTML escaping issues before using QMD, auto-commit, or graph visualization with untrusted memory content, and be cautious opening generated graph HTML.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger language is broad enough to match ordinary conversation such as 'remember this' or general context-seeking requests, which may activate persistent storage behavior unexpectedly. In a skill that writes long-lived personal knowledge, overbroad activation increases the risk of silently storing sensitive user data without clear intent or consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs agents to write to a persistent personal knowledge store and activity log, but it does not require an explicit warning or consent step before modifying user data. Because the store is durable, human-browsable, and shared across agents, accidental persistence of secrets, private conversations, or incorrect facts can have lasting privacy and integrity consequences.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The HTML demo pulls D3 from a third-party CDN at runtime without integrity pinning or any user disclosure. If the CDN is unavailable, blocked, or serves a tampered script, the page executes untrusted code in the page context, which is a real supply-chain risk even though this file is only a demo visualization.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This script assembles and prints the full content of a requested memory node plus recent log lines that mention it, which can include sensitive personal, project, or relationship data. In the context of a persistent personal knowledge graph skill, that creates a real confidentiality risk because downstream agents or users may receive more data than necessary, and there is no redaction, sensitivity filtering, consent prompt, or least-privilege scoping before disclosure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This generated HTML inserts database-backed fields such as title, tags, path, and relation type into the page using string concatenation and innerHTML. Because the memory graph stores user-controlled markdown/YAML-derived content, a crafted value containing HTML or script can execute when graph.html is opened, creating a stored XSS issue in a local but highly sensitive personal knowledge base viewer.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal