ClawHub

Aoju Memory

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local memory tool, but it deserves Review because it can retain user/project details and alter future agent behavior without clear approval, retention, or rollback controls.

Install only if you intentionally want persistent local agent memory. Review MEMORY.md, memory/, SOUL.md, USER.md, and AGENTS.md regularly; do not store secrets or sensitive personal data; keep evolution outputs advisory unless you explicitly approve a diff; and use dry-run/report features carefully because generated reports may include stored memory content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly instructs reading and writing multiple local files, but no permissions are declared to make those capabilities explicit or constrain their use. This weakens reviewability and creates a hidden expansion of authority, especially because the skill persistently stores user/session information and updates long-lived files.

Tp4

High
Category
MCP Tool Poisoning
Confidence
82% confidence
Finding
The declared description emphasizes memory maintenance, but the documented behavior expands into retrieval/search and status/reporting behaviors that are not fully reflected in the manifest. Any mismatch between declared and actual behavior reduces informed consent and can hide secondary data-processing functions from reviewers and users.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The README explicitly states that the memory workflow can generate behavior-guideline updates and then update SOUL.md / AGENTS.md, which expands from passive memory storage into modifying the agent's governing instructions. That creates an instruction-integrity risk: persisted observations or poisoned inputs could be turned into durable policy changes that alter future agent behavior across sessions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill goes beyond maintaining memory artifacts and explicitly allows modifying SOUL.md, a core identity/governance file. Letting a memory skill rewrite governing instructions creates a self-modification pathway that can silently alter future agent behavior and trust boundaries.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The later instruction to update AGENTS.md extends the skill beyond its declared memory scope into agent-governance modification. This is dangerous because AGENTS.md can influence broad future behavior, allowing persistence of unsafe or unintended instructions under the guise of learning.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Self-modification of governing files is not necessary for ordinary memory retention and creates a mechanism for recursive behavior drift. An adversarial or simply mistaken 'learning' could become a persistent instruction that survives across sessions and changes how the agent handles future tasks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README promotes long-term retention of user identity, conversation events, and learned lessons without any privacy notice, consent model, retention limit, or guidance on sensitive-data handling. This creates a real risk of collecting and persisting personal, confidential, or regulated data in local files that users may not realize are being retained.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to auto-activate the skill at every session start, which can cause continuous collection and persistence of interaction data without clear user awareness on each run. In the context of a memory skill, automatic execution materially increases the likelihood of over-collection, surprise retention, and storage of sensitive conversational content.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation triggers are broad phrases like session start, significant decisions, feedback, and heartbeat review, with little objective boundary. Overbroad invocation increases the chance of constant background reads/writes, unnecessary data retention, and accidental execution in contexts where persistence was not expected.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs persistent logging of lessons, decisions, preferences, and events without clearly warning the user that local files will be created and retained. This creates significant privacy and transparency risk because users may reveal sensitive information without understanding it will be stored long-term.

Missing User Warnings

High
Confidence
98% confidence
Finding
The evolution workflow permits modifying behavioral-guideline files without notifying or obtaining approval from the user. That combines silent persistence with behavior-shaping changes, making the skill materially more dangerous than a normal note-taking tool.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest description claims broad capabilities such as long-term memory, learning, and self-evolution without defining boundaries, trigger conditions, or safety constraints. In an agent skill, this can cause the orchestrator or operator to grant excessive trust and broad invocation scope, increasing the chance of unintended persistence, behavior drift, or misuse of sensitive conversational data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script appends archived content to patterns.md and then deletes the original learning files automatically when not run with --dry-run, without any confirmation prompt, backup verification, or explicit warning in the usage/help text that deletion will occur. In the context of a long-term memory/self-evolution skill that operates on persistent agent state, this is more dangerous because routine or automated execution could silently destroy historical records or evidence needed for audit, debugging, or recovery.

Ssd 3

Medium
Confidence
93% confidence
Finding
The README frames the skill as remembering who the user is, what happened in conversations, and learning from mistakes across sessions, which inherently implies persistent retention of potentially sensitive interaction data. Without privacy boundaries or filtering rules, this creates a meaningful data leakage and retention risk if logs are exposed, synced, or reused in later prompts.

Ssd 3

Medium
Confidence
94% confidence
Finding
The feature list explicitly instructs cross-session retention of user preferences, decisions, and important facts, but does not define sensitivity classes, consent requirements, or exclusion rules. That omission makes it easy for operators or the agent to persist confidential or personal information beyond the original interaction context.

Ssd 3

Medium
Confidence
96% confidence
Finding
The documented storage layout includes daily raw logs and long-term memory files, suggesting broad and durable retention of interaction contents rather than minimal summaries. Keeping raw logs materially increases exposure in case of local compromise, accidental sharing, backup leakage, or downstream prompt reuse.

Ssd 3

Medium
Confidence
96% confidence
Finding
The instruction to write every lesson, decision, preference, or event worth remembering into structured files encourages broad and potentially indiscriminate collection of user and session data. In context, this is especially risky because the storage is long-term and repeatedly consulted on future sessions, amplifying privacy impact.

Ssd 3

Medium
Confidence
94% confidence
Finding
Requiring automatic reading of persistent memory and user/profile files before any task enables pervasive reuse of previously stored user information, regardless of whether it is relevant to the current request. This broadens the blast radius of any sensitive data captured earlier and normalizes cross-session profiling.

Ssd 3

Medium
Confidence
95% confidence
Finding
The daily log format explicitly directs the agent to record facts about the user, preferences, and project context in long-term files. This is a direct mechanism for building persistent user profiles, which can expose sensitive personal or business information if over-collected, reused broadly, or later accessed by other tools or sessions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal