ClawHub

Legacy — Qoris Memory (use qoris-memory-mcp)

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed legacy Qoris memory integration that needs normal caution around stored shared memories and API keys, but the artifacts do not show hidden or malicious behavior.

Prefer installing the canonical qoris-memory-mcp listing referenced by this legacy skill. Use this only if you want Qoris to store memory content for your workspace; avoid storing secrets, regulated data, customer records, or confidential prompts unless you have verified access controls, retention, deletion, and key-rotation practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README promotes persistent, cross-session and team-wide memory sharing but does not warn users that sensitive prompts, credentials, customer data, or internal context may be stored and later exposed to other users or systems. In an agent-memory product, this omission is security-relevant because users may unknowingly place regulated or secret data into a shared long-lived datastore.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The README instructs users to export an API key and workspace ID but gives no advice on safe secret handling, increasing the chance that users place credentials in shell history, shared environments, screenshots, repos, or logs. While this is documentation-level rather than an active exploit, it can contribute to credential leakage in real deployments.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal