ClawHub

Memento

Security checks across malware telemetry and agentic risk

Overview

Memento appears to be a legitimate memory plugin, but it needs review because it stores chats by default and has several paths that can send or reuse memory data more broadly than the local/privacy framing suggests.

Install only if you are comfortable with local long-term storage of conversation history and facts. Keep autoExtract and autoQueryPlanning off or use a local Ollama model if data must not leave the machine, disable crossAgentRecall if agents should stay isolated, review migration/deep-consolidation paths before running CLIs, and protect or periodically delete the ~/.engram data store.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (48)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation advertises significant capabilities involving environment variables, networked LLM providers, shell commands, filesystem persistence, and migration workflows, yet there is no explicit permission declaration. That creates a transparency and governance gap: users and policy engines cannot reliably understand or constrain what the skill may access, increasing the chance of unintended data exposure or overbroad execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description emphasizes local, privacy-first memory, but the same file discloses optional transmission of conversation content to external LLM providers, cross-agent data sharing, and broader ingestion/migration behaviors. This mismatch is dangerous because users may enable or install the skill under the false impression that processing is entirely local, leading to inadvertent disclosure of sensitive conversations or memory data.

Description-Behavior Mismatch

Low
Confidence
83% confidence
Finding
The design claims to be privacy-first and local, but explicitly allows use of an external LLM API for extraction. That creates a real risk that captured raw conversation segments, including sensitive personal data, are transmitted off-device contrary to user expectations.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The spec establishes content-based visibility classification as the privacy boundary, then later introduces conflicting agent-level defaults and hard-coded exceptions. In a memory-migration feature handling medical records, credentials, and personal data, this ambiguity can cause facts to be stored with overly broad visibility, leading to unintended disclosure across agents.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The document explicitly says there is no per-agent defaultVisibility, but the MigrationConfig interface still includes it, creating implementation ambiguity at a security-sensitive trust boundary. Developers may follow the interface instead of the prose and assign visibility by agent, which can misclassify sensitive extracted facts and weaken access controls.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The process instructs insertion using the agent's default visibility even though earlier sections say visibility should be determined independently for each fact by content. In this skill, migrated memory may include credentials and medical information, so an implementation based on this step could store secrets as shared or private and expose them during later recall.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The spec expands a 'local persistent memory' skill into one that sends conversation content and existing facts to an external LLM provider and uses an environment-provided API key. That is a real capability change with privacy and trust implications, especially because the skill metadata says stored data stays local in SQLite, which can mislead users about data egress.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
Using child_process.execSync to invoke a CLI introduces an additional execution surface not described by the skill's stated purpose. If prompts or model values are interpolated unsafely, this can become command injection; even without injection, it broadens the trust boundary and can expose data to external tooling unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Accessing ANTHROPIC_API_KEY from the environment gives this memory skill access to credentials beyond its advertised local-storage role. In context, this is more dangerous because the skill processes sensitive conversations and the secret enables outbound transmission to a third party.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The migration step expands collection from the active SQLite store to existing memory/*.md files, increasing the volume and sensitivity of data processed by the skill. In a memory plugin, broadening ingestion without clear disclosure or consent raises privacy risk and can pull in legacy notes users did not expect to be reprocessed.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The roadmap explicitly documents behavior that sends conversation-derived data to external providers and system services, which conflicts with the skill's privacy-first/local-only description. This is dangerous because users may rely on the manifest's privacy claims while the implementation or planned design permits off-device processing, creating informed-consent and data-exposure risks.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The roadmap notes that trust-score work removed the phrase 'Everything stays local' in favor of more honest messaging, while the current skill metadata still presents a strong local/privacy-first claim. This contradiction is a serious transparency problem because it can mislead users into exposing sensitive memory data under false assumptions about storage and processing locality.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The CLI enumerates other likely agent workspaces under the user's home directory and processes any discovered SQLite memory databases, which expands access beyond a single agent's stated 'local persistent memory' scope. In a multi-agent environment this can unintentionally cross security or privacy boundaries by consolidating memories for agents the operator did not explicitly target, exposing metadata and contents from unrelated local workspaces.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The code sends stored fact summaries and up to 200 characters of fact content to Anthropic's external API for relation classification. That directly contradicts the stated privacy model that stored data remains local in SQLite, and it can exfiltrate sensitive memory contents without clear user consent or an explicit opt-in boundary.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The extractor sends raw conversation text to third-party or user-configured LLM endpoints for fact extraction, which is a real data exfiltration/privacy risk. This is especially significant because the skill metadata emphasizes privacy and local SQLite storage, which can mislead users into believing conversation contents never leave the host.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script is explicitly designed to read local memory files and pass their contents into `extractFacts(...)`, which uses external model credentials from environment variables. That creates a real data exfiltration path for potentially sensitive local memory, and it materially conflicts with the product description's privacy-first/local-only framing, increasing the chance that operators will run it without understanding that data leaves the machine.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This code explicitly retrieves facts from other agents via shared-knowledge APIs (`searchSharedFacts`, `getSharedFactsWithEmbeddings`, `getSharedFactsFromOtherAgents`) and mixes them into recall results. In a skill described as privacy-first local persistent memory for an agent, this broadens data exposure boundaries and can cause unintended information sharing or context leakage across agents if users or integrators assume per-agent isolation.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
`planQuery` sends the raw user query to `runViaOpenClaw`, which may forward conversation-derived content to an LLM service. That behavior is materially different from a privacy-first local-memory expectation, and it can leak sensitive prompts or personal data during recall even though storage remains local.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This code explicitly implements cross-agent shared fact retrieval and a master knowledge base, which materially expands the trust boundary beyond the stated 'local persistent memory for OpenClaw agents.' In a memory/privacy skill, silent sharing across agents can expose sensitive or private context to unrelated agents and violates user expectations even if all storage remains local.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The migration comments and schema support for remote JSONL ingest indicate planned or existing ingestion capability that is inconsistent with the advertised local-only memory model. Even without the network code shown here, hidden ingest paths increase attack surface and can enable untrusted external data to be persisted and later surfaced to agents.

Missing User Warnings

High
Confidence
96% confidence
Finding
The design describes automatic capture of all messages and storage of raw conversation segments without any consent flow, notice, or scope limitation. In a memory plugin handling potentially sensitive chats, silent collection of raw transcripts materially increases privacy and compliance risk if secrets, medical, financial, or credential data are discussed.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Automatic pre-turn recall injects stored facts into future agent context without explicit user notice, which can surface old sensitive information unexpectedly. This expands the exposure of stored data beyond archival storage into active prompt context, increasing the chance of unintended disclosure or inappropriate model use of prior personal details.

Missing User Warnings

High
Confidence
95% confidence
Finding
Cross-agent sharing into a master knowledge base propagates user-derived facts beyond the original agent boundary without a clear consent model or warning. Even if 'private' data is excluded by design, misclassification, prompt extraction errors, or bad defaults could cause sensitive information to spread across agents and contexts unexpectedly.

Missing User Warnings

High
Confidence
99% confidence
Finding
The spec explicitly sends conversation text and existing facts to an external LLM for extraction, yet provides no user-facing warning, consent flow, or privacy controls. Because this skill is designed to accumulate long-term memory, the transmitted content may include highly personal, persistent, and cross-session data, making undisclosed disclosure especially risky.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The spec instructs use of an environment API key for a third-party provider without documenting any warning about external service use or credential handling. This creates a transparency gap: users and operators may not realize the skill depends on and can exercise external networked capabilities with sensitive inputs.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal