ClawHub

People Memories

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly aligned with people-note memory, but it quietly stores transcript-derived personal data and describes background Telegram reminder delivery without clear opt-in or controls.

Install only if you intentionally want a persistent people-memory system. Before enabling it, confirm whether transcript auto-capture can be disabled or made confirm-before-save, inspect ~/.clawdbot/people-memory.json and logs for saved content, avoid storing sensitive third-party details, and verify whether any cron or Telegram reminder job is actually installed and how to disable it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
Automatically delivering reminder digests over Telegram extends the skill from local memory storage into third-party message transmission of personal event data. That creates a meaningful data-sharing risk because birthdays, anniversaries, and associated names may be sent off-device without clear consent or disclosure. The people-memory context increases sensitivity because these are personal relationship details, not generic reminders.

Description-Behavior Mismatch

Low
Confidence
75% confidence
Finding
Exporting person records to arbitrary output files broadens the data exposure surface beyond simple in-app recall. Personal notes can be copied into less protected locations, overwritten into sensitive paths, or shared unintentionally, especially when the output path is user-specified. In this context, the risk comes from moving sensitive people data out of the bounded memory store into general filesystem locations.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Telegram delivery automation is not necessary for the core function of storing and recalling notes about people, so it violates least functionality while introducing a third-party dissemination channel. This increases the attack and privacy surface without a clear user-justified need, especially because the transmitted content concerns personal contacts and life events. The context makes this more dangerous because the skill is effectively becoming a notification broadcaster for sensitive social data.

Description-Behavior Mismatch

Low
Confidence
90% confidence
Finding
The export function writes sensitive personal notes to an arbitrary user-supplied file path via Path(out_path).write_text(...), with no path restrictions, confirmation, or safeguards. In an agent context, this broadens the trust boundary from private local storage to arbitrary filesystem write access, increasing the risk of accidental disclosure, overwriting other files accessible to the user, or placing sensitive data in insecure locations.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase for auto-capture is broad enough to match ordinary conversation, which can cause accidental collection and storage of personal information without deliberate user action. Because confirmations are kept quiet, users may not realize that sensitive details about other people were persisted. In a voice/chat transcript setting, ambiguous triggers materially raise privacy risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill explicitly describes quiet automatic capture and storage of personal details from voice/chat transcripts without a clear warning or consent flow. That undermines user awareness and informed consent, particularly because the data concerns third parties and may later be searched, summarized, exported, or used for reminders. The context sharply increases risk because it combines covert collection with persistent retention of interpersonal data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill automatically extracts names and notes from voice transcripts and persists them via a subprocess without any explicit notice, consent, or confirmation. Because voice transcripts can contain sensitive personal data about third parties, silently storing and logging that content creates a privacy and data-handling risk that is more concerning in a memory/people-tracking skill than in a transient assistant feature.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill stores sensitive personal memories, including inferred birthdays and anniversaries, in plaintext JSON under ~/.clawdbot/people-memory.json without any consent prompt, privacy notice, access controls, or minimization. In a memory skill, persistent storage is expected, but the data category is personal and potentially sensitive, so silent long-term retention materially raises privacy risk if the local account, backups, or shared machine are accessed by others.

Ssd 3

Medium
Confidence
92% confidence
Finding
Quietly capturing, retaining, and later exporting personal details from transcripts creates a substantial privacy and surveillance risk. The skill is designed to accumulate sensitive interpersonal information over time, then make it easily retrievable and shareable, which can amplify harm if misused or compromised. In this skill's context, that behavior is central and therefore especially dangerous unless tightly consented and controlled.

Ssd 3

Medium
Confidence
80% confidence
Finding
Creating shareable fact cards and exports of personal notes about people encourages secondary use and redistribution of sensitive information. Even if intended for convenience, packaging data into summaries makes disclosure easier and can strip away contextual nuance about consent or appropriateness. In a people-memory tool, summarization/export features materially increase privacy impact because they facilitate onward sharing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal