ClawHub

ForesigxtMemory

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local memory tool, but users should treat its saved vault as sensitive and use caution with bulk migration commands.

Install only if you trust the npm package publisher. Prefer a workspace-specific vault for sensitive projects, avoid storing secrets or regulated personal data, keep vaults and .env files out of public repositories or broad sync folders, and run migration with --dry-run and a verified backup before modifying an existing knowledge base.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill explicitly encourages storing relationship details, decisions, experiences, and work context that can include personal or confidential business information, but it provides no warning about sensitivity classification, retention, access control, encryption, or sharing boundaries. In an agent-memory tool, this omission can lead users to persist secrets, personal data, or client information into local markdown vaults that may later be indexed, synced, backed up, or exposed to other agents.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The migration feature performs bulk modifications such as adding frontmatter, renaming directories, and rollback operations, yet the documentation does not prominently warn that these actions can alter or damage a user's knowledge base if used on the wrong path, interrupted, or run with force. Although backup and dry-run options are mentioned, the absence of an explicit data-integrity warning makes accidental destructive use more likely.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal