ClawHub

vector-memory

Security checks across malware telemetry and agentic risk

Overview

This memory-search skill is purpose-aligned overall, but it needs review because crafted inputs may execute shell commands or read files outside the intended memory area, and its installer runs downloaded code.

Review carefully before installing. Prefer the ClawHub install or manual reviewed steps over curl-to-bash, avoid using it in sensitive workspaces until command execution and memory_get path validation are fixed, and remember that sync reads local memory files and stores searchable chunks locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (18)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill claims 'zero configuration' and 'works immediately after install,' but the described behavior includes downloading/installing code and dependencies, optional indexing/sync behavior, and model downloads on first embedding use. This mismatch is dangerous because it can mislead users into granting trust to a skill that performs more network, filesystem, and execution activity than the description suggests, reducing informed consent and increasing supply-chain and privacy risk.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The README instructs users to install the skill by downloading and immediately executing a remote script with the shell. That creates a direct arbitrary-code-execution path during installation, and the script is not shown, pinned, or verified. For a memory-search skill, this installation method is unnecessary and expands trust far beyond the stated functionality.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The installer retrieves code from a remote repository, copies it into the workspace, runs npm install, and then executes a Node script. That exceeds a minimal file-copy install and introduces supply-chain and arbitrary code execution risk if the repository or dependencies are compromised.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill exposes capabilities beyond simple memory search: `memoryGet` can read arbitrary workspace-relative files and the CLI also exposes `--sync`, which mutates local state by rebuilding the vector index. This expands the trust boundary beyond the declared purpose and can lead to unintended file disclosure or state-changing behavior being invoked under the guise of a search tool.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
`memoryStatus()` returns the absolute workspace path, which is unnecessary for normal memory-search functionality and leaks environment details. While low severity by itself, exposing filesystem layout can aid reconnaissance and make chaining with other file-access issues easier.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill spawns subprocesses for search and sync using `execSync`, which materially increases capability beyond a simple in-process memory search. This is especially risky because the command is built with string interpolation around user-influenced input (`query`), creating command-injection risk and undisclosed execution behavior.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script advertises itself as '100% local' and 'no API calls', but `pipeline()` may download model artifacts on first use if they are not already cached. This is a real security/transparency issue because users may rely on the claim to make trust or network-isolation decisions, and unexpected outbound fetches can violate policy or leak environment metadata.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
Setting a local cache directory does not guarantee local-only operation; it only controls where downloaded artifacts are stored after retrieval. The misleading comment can cause operators to misunderstand the trust boundary and deploy the skill in restricted environments under false assumptions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to always search memory before answering questions about prior work, decisions, preferences, and past conversations, but it does not require any user notice, consent, or sensitivity check before accessing potentially private stored content. This can cause the agent to surface sensitive personal or project information unexpectedly, especially when the memory store aggregates notes across conversations and work contexts.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Piping a fetched script directly to `bash` eliminates the user's opportunity to inspect the code and provides no warning about the risks. If the GitHub account, repository, branch, or network path is compromised, the install step becomes an immediate remote execution vector on the user's machine.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The installer deletes a temporary directory and copies files into the user's workspace without prompting or validating whether target paths already exist. This can overwrite existing skill data or workspace content, causing data loss or unreviewed replacement of trusted files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script downloads repository content, installs npm dependencies, and executes node vector_memory_local.js --sync without explicit warning or a review step. That creates a direct path for remote or dependency-sourced code execution on the host during installation.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The README instructs users to fetch a remote script over the network and immediately execute it with bash, which removes the opportunity to inspect the script before running it. If the repository, branch, hosting path, or transport is compromised, users could execute arbitrary code on their machine during installation.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
memoryGet joins a caller-supplied filePath with the workspace path but does not validate or normalize it to keep access inside WORKSPACE. An attacker can supply traversal sequences such as ../../... to read arbitrary files accessible to the process, which is especially risky in an agent skill handling potentially sensitive local memory and configuration data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to configure an OpenAI API key for embeddings but does not disclose that memory contents and search queries may be transmitted to an external third-party service. In a memory system, those inputs can contain sensitive personal, organizational, or proprietary data, so the omission can lead to unintentional data exfiltration and compliance/privacy issues.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
`memoryGet(filePath, from, lines)` joins attacker-controlled `filePath` with `WORKSPACE` and reads the result without constraining it to the intended memory directories. Because `path.join` does not prevent `..` traversal, a caller can read arbitrary files within or potentially outside the workspace root, turning a search helper into a generic file-read primitive.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
`memorySync` performs a subprocess-driven indexing operation that modifies the vector index without any explicit warning, consent boundary, or clear separation from read-only search behavior. In this context, the danger is less about direct exploitation and more about unexpected state changes, resource consumption, and hidden side effects from a tool presented as simple memory search.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The code does not provide a clear user-facing warning or consent checkpoint at the moment model loading may trigger a download. In this skill context, that makes the behavior more concerning because the feature is marketed as zero-configuration and immediately usable, increasing the chance users will trigger network access unintentionally.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal