ClawHub

Dogearai Memory

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate DogearAI memory skill, but it needs review because it can automatically send and persist broad user context to an external service with limited consent and scoping.

Install only if you are comfortable with DogearAI receiving and storing durable context from your conversations and projects. Set DOGEAR_TOKEN only for this service, avoid using DOGEAR_BASE_URL unless you fully trust the destination, do not store secrets or regulated data, and review whether the skill offers deletion, retention, and consent controls that match your needs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Tainted flow: 'req' from os.environ.get (line 27, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
if data is not None:
        req.add_header("Content-Type", "application/json")
    try:
        with urllib.request.urlopen(req, timeout=30) as r:
            return r.status, r.read().decode("utf-8")
    except urllib.error.HTTPError as e:
        return e.code, e.read().decode("utf-8")
Confidence
92% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as r:

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes a bundled Python script that uses environment variables and network access, but the skill file does not declare those capabilities or present them as permissions/risks. That makes data flow less transparent to users and reviewers, especially because the tool reads a bearer token from the environment and sends user context to an external service.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The public description frames the skill as simple recall/persist of long-term context, but the documented commands also allow enumerating all memory spaces, reading entire spaces, fetching raw originals by memory ID, and potentially redirecting requests via a base-URL override. Those extra capabilities materially expand the data-access and exfiltration surface beyond the narrow summary presented to the user.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README describes automatic recall and saving of user context, but it does not clearly and explicitly warn that this data is transmitted to DogearAI's remote servers for processing and storage. Because the skill is designed to handle durable personal, project, and preference information across tools, users may unknowingly disclose sensitive data to a third party, creating privacy, consent, and data-governance risk.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The recall trigger is phrased broadly around common conversational cues like 'my project' or 'my preferences,' which can cause the agent to contact the external memory service without clear user intent. This increases the chance of unnecessary retrieval of sensitive cross-tool context and surprises users who did not realize a third-party memory system would be queried.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The save guidance tells the agent to persist information whenever it seems 'durable,' which is subjective and likely to over-collect personal or project data. Because the destination is a cross-tool external memory layer, ambiguous triggers create a natural-language path for silently exporting more data than the user expected.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill promotes storing user information across multiple AI tools without an upfront, prominent privacy warning about third-party storage, retention, and cross-context exposure. Users may disclose sensitive preferences, project details, or organizational information believing it remains local to the current conversation when it is actually persisted externally.

Ssd 3

Medium
Confidence
97% confidence
Finding
The instruction 'don't save secrets — unless the user asks' normalizes persistence of secrets into a cross-tool memory system and creates a direct natural-language exfiltration path. Even if user-requested, storing credentials, tokens, or other secrets in a broad retrieval layer raises the chance of later disclosure to other sessions, tools, or unintended prompts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal