ClawHub

Structured Memory

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent memory-indexing tool, but it deserves review because it can automatically persist sensitive workspace memory facts and perform broad rebuild/delete operations.

Install only if you want an agent to maintain persistent structured memory for the workspace. Review the first-run backfill behavior, avoid storing secrets in daily memory, and do not pass custom output paths to rebuild scripts unless you have checked they point only to the intended critical-facts/cards directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (12)

Direct flow: pathlib.Path.read_text (file read) → pathlib.Path.write_text (file write)

High
Category
Data Flow
Content
f"  related_entity: {fact['related_entity']}\n"
        f"  note: {fact['note']}\n"
    )
    path.write_text(path.read_text(encoding='utf-8').rstrip() + '\n' + block, encoding='utf-8')
    return True
Confidence
96% confidence
Finding
path.write_text(path.read_text(encoding='utf-8').rstrip() + '\n' + block, encoding='utf-8')

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description is very broad and explicitly covers many workspace topics, which can cause the agent to invoke it in a wide range of normal situations. Because this skill performs filesystem-writing maintenance actions and recommends initialization/backfill behavior, overbroad triggering increases the chance of unnecessary reads, indexing, and propagation of sensitive workspace content beyond the immediate task context.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The default operating guidance tells agents to treat rebuild as part of the default workflow after 'meaningful' updates, but that term is subjective and lacks hard limits. This can lead to automatic execution of indexing and fact-extraction scripts without explicit user consent, causing over-collection, persistence of sensitive data into derived stores, and unintended repeated modifications to the workspace.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
With --write enabled, the script persists extracted hosts, accounts, endpoints, paths, and identifiers into long-lived critical-facts files, but the CLI does not prominently warn that sensitive operational data will be copied and retained. In this skill context, the tool is explicitly harvesting execution-critical facts, so accidental invocation can expand the exposure surface and create durable records of secrets or infrastructure details.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script unconditionally deletes the entire cards output directory via shutil.rmtree(cards_dir) before rebuilding it. Because the output path is user-controllable through --cards-dir and is not validated against an expected safe base directory, a mistaken or maliciously supplied path could cause destructive loss of arbitrary files or directories accessible to the script.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script silently removes all sections matching the provided date across multiple repository directories and then rewrites indexes and fact files, with no confirmation, dry-run, backup, or strict date validation. If run with an incorrect or attacker-influenced date, it can cause broad unintended data loss or repository corruption, especially because the trust boundary is a CLI argument controlling what content gets deleted.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This script triggers a full rebuild workflow that modifies multiple indexes and derived artifacts via chained subprocesses, yet it provides no user-facing warning about side effects or scope of changes. In a skill or automation context, hidden repository-wide write actions are dangerous because they can surprise callers, amplify mistakes, and make destructive operations easier to invoke indirectly.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The file is a broad, free-form situation description about a project change request and milestone impact, but it provides no activation boundaries, role constraints, or explicit trigger conditions. In an agent skill system, this can cause overbroad invocation or unintended behavior because the agent may treat ordinary project-management conversations as matching this skill and act on sensitive workflow decisions without sufficient scoping.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The skill text explicitly instructs the agent to answer in Chinese ('以后先查 memory 再答 M05') without any indication that this is conditioned on the user's language preference or consent. This can override user expectations, reduce usability, and cause incorrect or inaccessible responses, especially in multilingual or compliance-sensitive contexts; the adjacent instructions about memory lookup do not mitigate the language-forcing behavior.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The skill hard-codes response behavior in Chinese ('以后先查 memory 再答 M06') without any indication of user preference or locale negotiation. This can override user expectations and system behavior, causing incorrect or inaccessible responses and making the agent easier to steer with embedded prompt instructions.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill text explicitly directs responses in Chinese ('以后先查 memory 再答 M08'), which can override the user's preferred language without consent. This is risky because it changes agent behavior in a way unrelated to task safety and can reduce usability, transparency, and compliance with user expectations, especially if the surrounding system or user requested another language.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The skill text explicitly instructs responses in Chinese ('以后先查 memory 再答 M10') without any indication that the user's preferred language should be respected. This can override user expectations and reduce usability or clarity, especially for users who do not understand Chinese, though it does not by itself create direct code-execution or data-exfiltration risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal