ClawHub

BrainDB

Security checks across malware telemetry and agentic risk

Overview

BrainDB appears to be a real memory plugin, but users should review it because some normal memory features can send private conversation and memory data to Gemini despite local-only privacy claims.

Install only if you want durable agent memory and are comfortable reviewing its data flows. Use local-only migration, avoid configuring GEMINI_KEY unless you intentionally want Gemini processing of memory queries and conversation turns, enable BRAINDB_API_KEY if other local processes are a concern, and review or skip execution-awareness.js if you do not want tool and environment details stored as long-term procedural memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (22)

Tp4

High
Category
MCP Tool Poisoning
Confidence
76% confidence
Finding
The skill markets itself as a local semantic memory plugin, but the described behavior includes broader capabilities such as config modification, workspace ingestion, Docker service deployment, and optional transmission of file contents to Google's Gemini API during migration. This mismatch is dangerous because users may grant trust based on the narrow description while unintentionally exposing sensitive workspace data or allowing substantial host-side changes.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README makes strong privacy claims about local-only operation, but elsewhere documents an optional migration mode that sends memory file contents to Google's Gemini API. Even if this is opt-in, it creates a meaningful risk of sensitive data exfiltration during migration and can mislead users who assume the product never transmits memory data externally.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The file explicitly states it will introspect the OpenClaw environment and encode tool/capability memories, which expands the skill from semantic memory into capability discovery and operational guidance. That broadens the trust boundary and can prime downstream agents with actionable knowledge about available tools and workflows, increasing misuse potential even if no immediate exploit is executed here.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
These hardcoded memories teach agents how to send Discord messages, execute commands on remote nodes, and schedule autonomous future tasks. Embedding such operational playbooks into long-term memory creates a durable privilege-amplification layer that can enable lateral actions and persistence well beyond a memory skill's stated purpose.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code enumerates installed CLIs, scans ~/bin and workspace scripts, inspects installed skills, and reads fleet metadata from /tmp. This is broader than necessary for persistence and can expose sensitive local topology, tooling, file paths, and operational context that may later be abused or exfiltrated through the memory service.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This file substantially expands a memory service into LLM-driven profiling, prediction, synthesis, and execution-oriented routing. That scope creep increases the chance that sensitive user data is inferred, retained, or acted on in ways users did not request, which is risky for a skill marketed as persistent semantic recall.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Execution-focused recall and tool-execution capture are materially different from passive memory storage and retrieval. In an agent context, these features can expose tool/capability metadata and create a bridge from stored memory into operational behavior, increasing the risk of overreach, prompt-driven misuse, and privacy-invasive action selection.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The predictive follow-up system explicitly profiles likely future questions about a person's relationships, preferences, business specifics, and personal details. Even without an immediate attacker, this creates unnecessary inference and precomputation of sensitive personal topics beyond the user's direct request.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The auto-encode endpoint sends full conversation turns to an external LLM and persists distilled long-term memories about user-specific personal and business information. This is dangerous because it broadens collection and retention far beyond explicit user-authored memory entries, making over-collection and privacy violations likely.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script claims all memories are guaranteed to be exported, but the export logic is clearly best-effort: it relies on a health endpoint, heuristic recall queries, a fixed limit, deduplication by observed IDs, and a weak fallback to an embeddings cache. This can silently omit memories while continuing with container shutdown, creating a serious data-loss risk for a product whose core purpose is persistent memory.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The script claims all memories are guaranteed to be exported, but the export logic is clearly best-effort: it relies on a health endpoint, heuristic recall queries, a fixed limit, deduplication by observed IDs, and a weak fallback to an embeddings cache. This can silently omit memories while continuing with container shutdown, creating a serious data-loss risk for a product whose core purpose is persistent memory.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The module is explicitly designed to auto-capture tool execution outcomes into persistent memory, and there is no indication of user notice, consent, or policy gating before storage. In an agent environment, tool calls often contain prompts, commands, URLs, file paths, and operational context that may be sensitive, so silent persistence creates a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Failure memories and novel-success memories include truncated command strings, URLs, node names, error text, and result previews, all of which are persisted to BrainDB. These fields can easily contain secrets, internal endpoints, file names, stack traces, tokens, or proprietary data, so storing them in long-term semantic memory materially increases the risk of sensitive data retention and later disclosure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The encode() function transmits generated memory content, including discovered paths, installed tools, skills, and operational details, to the BrainDB service without any visible consent prompt or disclosure. This creates a data-leakage risk because environment and filesystem information may be sensitive, especially when the endpoint is configurable or remote.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code transmits memory content to an external embedder service for semantic operations, but this file shows no disclosure, consent, minimization, or trust-boundary controls. If the embedder is remote or compromised, sensitive conversation and memory data can be exposed outside the core service boundary.

Missing User Warnings

High
Confidence
99% confidence
Finding
Query expansion, routing, synthesis, prediction, and auto-encoding all send user queries, memory candidates, and conversation-derived content to Gemini without any visible user-facing notice in this file. This creates a significant privacy and data-governance risk because highly personal memory content is disclosed to an external LLM for non-essential enrichment tasks.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The session-context endpoint deletes prior context for a session before writing replacement state, with no confirmation, versioning, or recoverability. While primarily an integrity/UX problem, it can cause silent loss of important conversational state and make recovery difficult if triggered accidentally or by another component.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The migration flow reads local workspace files, extracts facts, and then transmits those facts to the configured BrainDB service via `/memory/encode`. Although the default URL is localhost, the `--braindb` flag allows arbitrary endpoints, and the script does not provide a clear consent prompt immediately before sending potentially sensitive memory files. In a memory-migration skill, that makes accidental disclosure of personal, business, or operational data plausible.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When `--swarm` is enabled, the script sends up to 6000 characters of file content to another local service at `http://localhost:9999/parallel`, which the comments describe as Gemini Flash extraction that sends data to Google API. While there is a startup log message, there is no runtime confirmation or per-file consent at the transmission point, so sensitive workspace content can be forwarded to third-party processing without strong user acknowledgment. In a long-term memory tool, those files are especially likely to contain personal and confidential information.

Ssd 3

High
Confidence
98% confidence
Finding
The predictive prompt explicitly instructs the model to anticipate questions about a person's preferences, relationships, business specifics, and personal details. In a memory system, this is dangerous because it turns retained history into proactive profiling of sensitive traits and private facts not directly requested at the time.

Ssd 3

High
Confidence
99% confidence
Finding
The auto-encode prompt instructs the model to retain broad categories of user-specific personal, business, relational, and behavioral information as long-term memory. This creates a strong overcollection risk and can persist highly sensitive data without meaningful user review or necessity limitation.

Ssd 3

Medium
Confidence
92% confidence
Finding
This endpoint persists raw session context including last user message, active task, pending questions, decisions, and summaries. In an agent memory product, storing this directly can capture secrets, sensitive intents, and transient context that users may not expect to become durable long-term memory.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal