ClawHub

claw_lance_memory

Security checks across malware telemetry and agentic risk

Overview

This skill provides the memory features it advertises, but it materially under-discloses that remembered content and queries are sent to Zhipu AI and then reused in agent startup context.

Install only if you are comfortable with long-term personal memory being stored locally, sent to Zhipu AI for embedding/search, and injected into future agent startup context. Avoid storing secrets, regulated data, or sensitive personal details; use a dedicated low-privilege API key; review/delete the local memory database regularly; and disable the hook if you do not want memories automatically loaded into sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The privacy section claims '无数据上传' ('no data upload'), but the same document states the system uses Zhipu AI embeddings, which necessarily requires sending memory content or derived text to an external API for embedding generation. This is a material misrepresentation of data flow that can cause users to store sensitive long-term memory under false assumptions, creating significant privacy and compliance risk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The hook executes an external Python process during bootstrap and supplies inherited environment variables, including an API key, to that subprocess. In a bootstrap hook this is risky because it expands the trusted computing boundary to another script and runtime before the user has visibility, enabling secret exposure, unexpected network access, or execution of modified workspace code.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The module sends both stored memory content and user queries to ZhipuAI's remote embedding API via `self.client.embeddings.create(...)`. Because this is a long-term memory component, the data being embedded may include sensitive personal or organizational information, and the file provides no consent flow, scoping, minimization, or documented network disclosure; this makes exfiltration of memory contents to a third party a real security and privacy risk.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The documented trigger phrases for automatic memory extraction are very broad ('我喜欢', '我是', '我需要', etc.) and overlap heavily with ordinary conversation. In a long-term memory system, this can cause over-collection of sensitive or contextual statements that users did not intend to persist, increasing privacy leakage and erroneous profiling risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The feature list advertises automatic extraction and long-term storage, but does not warn users that ordinary conversation content may be persisted as durable memory. Without upfront disclosure, users may reveal sensitive facts, preferences, or tasks believing they are transient, when the system may retain them across sessions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The privacy section emphasizes local storage and HTTPS but omits that embedding generation may transmit memory content to an external provider. This incomplete disclosure can mislead users about the true trust boundary and expose sensitive memory data to third-party processing without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly describes storing user messages, preferences, facts, tasks, and profiles in persistent memory, but provides no warning, consent guidance, retention notice, or privacy controls. In a memory-management skill, this omission is risky because integrators may deploy personal data collection by default without informing users, increasing the chance of privacy violations and non-compliant handling of sensitive data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The FAQ recommends deleting the entire local database with `rm -rf` as the only way to remove memory, but it does not warn that this is irreversible and may erase all stored data. While this is documentation rather than executable code, users may follow it directly and suffer unintended destructive data loss.

Missing User Warnings

High
Confidence
97% confidence
Finding
The FAQ states that all data stays local and is never uploaded to any server, but later says embeddings are generated via an external API. This is a misleading privacy/security claim because user memory content or derived text may be transmitted off-device, causing users to expose sensitive data under false assumptions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly describes a hook that automatically retrieves user memory from LanceDB and injects it into the agent context at bootstrap. This creates a privacy and data-minimization risk because sensitive prior-session data may be surfaced to the agent without clear user notice, consent, scoping, or retention boundaries, increasing the chance of unintended disclosure or misuse.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The environment variable section instructs users to provide an API key but does not warn against hardcoding, logging, or exposing credentials in shared shell history or config files. While the document itself does not leak a secret, missing credential-handling guidance can lead to insecure operational practices and accidental key disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The installation guide instructs users to persist an API key in ~/.bashrc without warning that shell init files may be readable by other local processes, accidentally committed to dotfile backups, or exposed through shared accounts and support logs. This is not inherently malicious, but it normalizes a less-safe secret handling practice and omits safer alternatives or risk disclosure.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The guide tells users to enable a hook that changes application behavior but does not explain what the hook does, when it runs, what data it can access, or how to disable/review it first. In a skill/plugin context, undocumented automatic hooks reduce informed consent and can conceal broader access than users expect.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The guide documents memory add, auto-extract, export, and cleanup operations over user-related content without any privacy, retention, deletion, or consent warning. In a memory skill, these actions directly affect potentially sensitive personal data, so omission of safe-handling guidance can lead to unintended collection, persistence, export, or loss of user information by integrators or operators.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script interactively collects an API key and then appends it in plaintext to ~/.bashrc, which creates long-term credential exposure on disk without clearly warning the user about persistence or file security implications. Shell startup files are commonly readable by the account owner and may be backed up, synced, or inspected later, increasing the chance of accidental secret disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This hook automatically loads long-term user memory from a vector database and injects it into the system prompt during bootstrap, but the description provides no explicit user warning, consent flow, or scope limits. Because system-prompt injection happens before normal workspace context is added, sensitive personal data may be exposed broadly to downstream agent behavior, tools, or prompts without the user realizing it.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code explicitly forwards ZHIPU_API_KEY into a bootstrap-time subprocess without any user-facing disclosure or strict necessity checks. Passing secrets to subordinate processes increases the chance of accidental logging, exfiltration by a modified script, or misuse by code outside the main trusted component.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Running a subprocess automatically at bootstrap is security-sensitive because it occurs before normal workspace visibility and can trigger local code execution or indirect network activity without clear notice. In this skill context, the hook claims to inject memory, so hidden execution at startup makes the behavior more dangerous by violating user expectations about when code runs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code automatically persists user-derived memories from conversation without any explicit notice, consent, or confirmation step. Because it stores personal preferences, facts, and tasks, it can silently collect sensitive user data and retain it longer than the user expects, increasing privacy and compliance risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
`embed_query` transmits arbitrary text directly to an external service without any user-facing warning or runtime confirmation. In a memory system, that text is likely to contain private memories, preferences, tasks, or facts, so silent transfer to a third party can expose sensitive data and violate least surprise and privacy expectations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code takes retrieved memory content and appends it directly into the session system prompt, giving stored user data elevated instruction context. If an attacker can poison memory contents, those entries may influence or override model behavior in later sessions, creating a prompt-injection and privacy risk without any disclosure or separation of trusted instructions from untrusted memory.

Ssd 3

Medium
Confidence
97% confidence
Finding
The conversation processor automatically extracts and stores plain-language personal facts, preferences, and tasks from all user messages without sensitivity classification, consent checks, or filtering for secrets. In a memory skill, this context makes the behavior more dangerous because the component is specifically designed to accumulate longitudinal user data, which can include employment details, routines, and other sensitive information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal