ClawHub

Agent Memory System

Security checks across malware telemetry and agentic risk

Overview

This memory skill is mostly purpose-aligned, but it needs Review because it can install recurring scheduled jobs and perform under-scoped local file changes.

Install only if you want persistent local agent memory and scheduled maintenance. Review install.sh before running it, check crontab afterward, avoid storing secrets or sensitive personal details in memory files, and do not run extract-skill.sh with path-like or untrusted lesson or skill names.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The script's primary purpose is to extract a lesson into a new skill package, but it also edits the source lesson file in place by changing status metadata and adding a skill path. This creates hidden side effects that can surprise users, corrupt source records, or alter workflow state without explicit consent, especially in automation or when run against shared content.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill describes automatic file movement, log generation, and scheduled maintenance but does not prominently warn that it will modify local data on an ongoing basis. This creates a transparency and consent problem: users may not realize files are being archived or rewritten later via unattended jobs, increasing risk of data loss, confusion, or misuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installer automatically appends recurring cron jobs to the user's crontab without an explicit opt-in prompt immediately before making that persistent change. This creates persistence on the host and may surprise users, especially because the scheduled scripts execute later and can continue operating after the install session ends.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
If the destination skill directory already exists, the script removes it recursively with rm -rf after only a generic overwrite prompt. Because SKILL_NAME is user-controlled and not constrained to a safe basename, an operator can accidentally target an unexpected path under the skills directory and irreversibly delete existing data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script silently edits the original lesson file after creation of the skill package, without warning the user during normal successful execution. In a memory-management skill, source lessons are likely valuable records, so unannounced metadata rewrites can damage auditability, trigger unintended state transitions, or break downstream tooling that relies on lesson content remaining unchanged unless explicitly approved.

Session Persistence

Medium
Category
Rogue Agent
Content
else
        # 添加 cron 任务
        (
            crontab -l 2>/dev/null || true
            echo "# agent-memory-system - 每周日凌晨执行 GC"
            echo "0 0 * * 0 $GC_SCRIPT >> $LOG_DIR/memory-gc.log 2>&1"
            echo "# agent-memory-system - 每晚反思"
Confidence
95% confidence
Finding
crontab -l

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal