ClawHub

Rapport Memories

Security checks across malware telemetry and agentic risk

Overview

This memory-search skill is coherent, but it handles sensitive long-term agent memory with weak privacy controls and unclear trust boundaries around embeddings.

Install only if you intentionally want this agent to build a persistent searchable memory index. Use a trusted local Ollama endpoint, review memory files before indexing, avoid storing secrets or personal data in those files, prefer building the Docker image yourself, and be prepared to delete /workspace/.rapport-memories and any added /workspace/memory entries when you want the data removed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly documents a command that writes new files into the mounted workspace (`/workspace/memory/...`) but does not clearly warn users that running the skill modifies persistent project data. In an agent-skill context, unclear documentation around write behavior can lead to unintended filesystem changes, polluted repos, or accidental persistence of sensitive/generated content.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README states that embeddings are generated using an Ollama server and even defaults `OLLAMA_HOST` to `http://host.docker.internal:11434`, but it does not clearly warn that memory content is transmitted to that configured service for processing. Because the skill indexes persistent memories, this can expose sensitive historical notes, credentials that sanitization misses, or other confidential workspace content to another service endpoint.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill proposes indexing session transcripts and reusing retrieved history to augment future prompts, but the disclosure is too vague about retention and reuse of prior conversation content. This creates a real privacy and data-governance risk because sensitive or user-derived information may be embedded, persisted in a vector store, and later surfaced in unrelated responses despite the claimed sanitization.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code sends both indexed memory chunks and user search queries to the Ollama embeddings endpoint via HTTP without any consent gate, warning, or trust boundary enforcement. Even if the default target is localhost, the host is configurable through OLLAMA_HOST, so sensitive workspace memory can be transmitted to a remote service or captured by a local-but-untrusted embedding server.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill indexes broad workspace memory files, stores cleaned content in SQLite/Chroma, and later returns raw matching chunks and recent context in plain text. Its sanitization is heuristic and incomplete, so sensitive information may remain stored and be resurfaced to future prompts, users, or logs, creating durable cross-session data exposure within a memory system whose purpose is to retain and retrieve context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal