ClawHub

Thought-Retriever

Security checks across malware telemetry and agentic risk

Overview

This memory skill does what it says broadly, but it sends conversation and stored-memory content to an external LLM using an embedded API key and keeps long-term records without clear controls.

Review before installing. Use it only if you are comfortable with conversation content and stored memories being sent to the declared external LLM provider and saved locally. Replace or remove the hard-coded API key, require explicit opt-in for post-turn capture, and add controls to redact, inspect, delete, or disable stored memories before using it with sensitive work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The function sends raw user_query and generated_answer to a third-party LLM endpoint for thought extraction, which creates an external data disclosure path for potentially sensitive conversation content. Because there is no manifest or visible consent mechanism, this transfer is not clearly justified or disclosed, making it a real privacy and data-handling vulnerability rather than an implementation detail.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The similarity function transmits both current user input and stored ontology Thought content to an external LLM service, exposing accumulated memory data over the network. This is especially risky because persistent memory may contain distilled sensitive information from many prior conversations, so each similarity check can leak historical data beyond the immediate session.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The comments describe step 2 as only being locally recorded, but the implementation later sends the generated answer to an external LLM for extraction. This mismatch is dangerous because it can mislead reviewers, operators, or users about where data goes, undermining informed consent and safe deployment decisions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly supports registering as a post-turn hook that automatically runs after every conversation, but the documentation does not warn users that conversation-derived content will be persisted into long-term memory. This creates a meaningful privacy and consent risk because users may unknowingly have prompts, answers, and inferred 'Thoughts' stored across sessions.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code exports user queries and generated answers to an external LLM service without any visible user-facing notice, consent, or configuration guard. In a memory-oriented skill, these fields may contain secrets, personal data, or proprietary content, so undisclosed transmission materially increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill persists extracted Thought entities derived from conversations into long-term storage, including content and part of the originating query, without any explicit disclosure or consent flow. This creates hidden retention of user-derived information and can amplify harm if the memory store is later accessed, searched, or transmitted.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill documents persistent storage of user queries and conversation-derived content in the ontology store, including natural-language content that may contain sensitive or identifying information. Because this memory is designed for later retrieval and reuse by other components, retained data can leak across tasks, users, or future prompts if not properly minimized and isolated.

Ssd 3

Medium
Confidence
97% confidence
Finding
The extraction workflow semantically distills user queries and answers into reusable 'thoughts' that are then retained, creating a durable derived-data channel for sensitive user information. Even if raw text is shortened or transformed, the stored summaries can still preserve private, proprietary, or security-relevant content in a form that is easier to reuse and harder for users to notice.

Ssd 3

Medium
Confidence
93% confidence
Finding
The design narrative explicitly treats each conversation as input for long-term memory creation, which normalizes broad retention rather than limiting storage to exceptional, consented cases. In context, that makes privacy risk systemic: the whole workflow is oriented toward persisting user-derived content, increasing the chance of overcollection and later disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal