ClawHub

Smart Memory

Security checks across malware telemetry and agentic risk

Overview

Smart Memory is a coherent local memory system, but it needs Review because it persistently stores and reuses conversation data, modifies prompts, starts local services, and loads or installs code with broad local authority.

Install only if you intentionally want persistent local memory that can store conversation-derived facts, goals, beliefs, summaries, and inferred insights, then reuse them in future prompts. Review the installer and postinstall first, avoid storing secrets or regulated data unless you have a purge/redaction plan, keep the API bound to localhost or add authentication for non-local use, and consider disabling or gating session capture, prompt injection, background cognition, auto-start helpers, and trust_remote_code unless you explicitly need them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (43)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for path in ["./smart-memory", "../smart-memory", "./skills/smart-memory"]:
        venv_activate = Path(path) / ".venv/bin/activate"
        if venv_activate.exists():
            subprocess.Popen(
                f"cd {path} && . .venv/bin/activate && python -m uvicorn server:app --host 127.0.0.1 --port 8000 > /tmp/smart-memory-server.log 2>&1 &",
                shell=True,
            )
Confidence
92% confidence
Finding
subprocess.Popen( f"cd {path} && . .venv/bin/activate && python -m uvicorn server:app --host 127.0.0.1 --port 8000 > /tmp/smart-memory-server.log 2>&1 &", s

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if venv_activate.exists() and server_py.exists():
            cmd = f"cd {base}/smart-memory && . .venv/bin/activate && python -m uvicorn server:app --host 127.0.0.1 --port 8000 > /tmp/smart-memory-server.log 2>&1 &"
            subprocess.Popen(cmd, shell=True)
            time.sleep(3)
            
            try:
Confidence
94% confidence
Finding
subprocess.Popen(cmd, shell=True)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The embedder defaults `trust_remote_code=True` when constructing `SentenceTransformer`, which permits execution of model-repository Python code during model load. That creates a supply-chain execution path inconsistent with a 'local memory' component, because loading an untrusted or compromised model can run arbitrary code on the host without explicit warning.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
A helper presented as a session memory primer also attempts to start a local FastAPI/uvicorn server if one is not already running. That side effect is broader than the stated purpose and can surprise users by spawning a persistent service, increasing the chance of misuse or unnoticed exposure on the local system.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The installer fetches the latest repository contents from GitHub and immediately proceeds to install and run dependency setup without pinning to a reviewed commit, tag, or checksum. This creates a software supply-chain risk: anyone who can modify the upstream repository or a dependency can cause arbitrary code to be installed and executed on the user's machine.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
A session-priming utility implicitly starts a long-running background service if the server is unavailable, which exceeds the expected scope of a read/query helper. In an agent skill context, this creates hidden side effects, process persistence, and broader execution capability than a user may anticipate from a priming command.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to retrieve prior context, stored memories, and user preferences before answering, but it provides no requirement to notify the user, obtain consent, or scope access to only the minimum necessary data. In a persistent memory skill, this can lead to opaque use of historical conversation data and unnecessary exposure of sensitive preferences or prior discussions, especially when users may not expect background retrieval from long-term storage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly describes persistent cross-session storage of working context and says that this data appears in every future prompt, but it does not mention consent, retention limits, review controls, or privacy warnings. That creates a real privacy and data-minimization risk because sensitive conversation content may be stored locally and repeatedly re-exposed to the model across sessions without the user's clear awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The auto-update behavior documents automatic extraction of project mentions, questions, timestamps, and interaction state from conversations, yet it provides no warning that both user and assistant content will be processed and persisted. This is dangerous because users may disclose confidential or regulated information in normal conversation and have it silently converted into long-lived memory entries.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs agents to send user and assistant messages to the memory system via `memory.ingestMessage()` and to retrieve context from it, but it does not tell integrators to disclose this persistence behavior to users or obtain consent. In a memory skill whose core purpose is long-lived retention, omission of privacy and notice guidance increases the risk of silently storing sensitive conversation data and creating compliance, trust, and data-handling issues.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly states that running `npm install` triggers a `postinstall.js` script that creates a virtual environment, upgrades `pip`, and installs Python packages including PyTorch. Automatic environment modification and network-based dependency installation during install time increase supply-chain risk and reduce informed consent, because users may execute these side effects merely by installing the package. In a skill that bridges Node and Python and persists a background FastAPI service, this behavior is more dangerous than in a pure-library package because install-time actions set up executable infrastructure automatically.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly describes persistent commits, session summaries, and queued local writes but does not warn about retention, sensitivity, or the fact that user content may be stored on disk. In a memory skill, this omission is dangerous because users or operators may unknowingly persist secrets, personal data, or sensitive conversation artifacts beyond the current session.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The generator embeds raw `left.content` and `right.content` directly into insight text, which can surface previously stored user memory content to downstream consumers without minimization, redaction, or consent controls. In a persistent memory skill, this creates a privacy leak path where sensitive notes, secrets, or personal details may be re-exposed in contexts the user did not explicitly request.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
`_build_working_question` constructs user-visible prompts from the first 120 characters of stored memory content, so emotionally salient memories are echoed back verbatim or near-verbatim. Because this skill is specifically designed for persistent cognitive memory, the feature increases the chance that sensitive historical user text is unexpectedly resurfaced, making the privacy exposure more dangerous in context.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The runner persists raw memory content by embedding `memory.content` and storing associated metadata in JSON and vector stores, but this code shows no minimization, redaction, consent, or policy gate before long-term persistence. In a 'persistent local cognitive memory' skill, those memories may include secrets, personal data, or sensitive conversation context, so silent retention and indexing materially increases confidentiality and privacy risk if the stores are exposed, misconfigured, or accessed by other components.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide explicitly recommends automatically sending both user and assistant messages to a persistence endpoint after each exchange, but it provides no consent, notice, minimization, or sensitivity filtering guidance. In an agent-memory skill, this is especially risky because conversations often contain credentials, personal data, proprietary code, and other sensitive context that would be silently retained and reused.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The instructions tell the agent to automatically read identity, user, session context, and recent memory files at startup, which can expose sensitive local data without any warning, scoping, or least-privilege guidance. In this skill's context, automatic startup priming increases risk because it normalizes broad access to local files before the user has an opportunity to review or constrain what is loaded.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Remote-code trust is enabled silently in the constructor, so users of the skill may believe they are using a purely local embedding component while model loading can execute repository-provided code. The lack of disclosure increases the chance that this behavior is deployed in higher-trust environments without compensating controls.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs agents to automatically query memory and load prior context before the first response, but it does not mention consent, visibility, or privacy implications for users whose historical data may be accessed. In a persistent memory skill, silent session-start retrieval can expose sensitive prior conversations or profile data to an agent without a clear user warning or opt-in, increasing the risk of unintended disclosure.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code starts a background server without any user-facing disclosure, confirmation, or logging to stdout/stderr beyond a hidden log file. In a security-sensitive agent skill, silently creating services is risky because operators may not realize a new local endpoint has been opened and kept running.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script sends agent identity, user message, and memory-related session data to an HTTP endpoint without any explicit warning or consent flow. Even though the default target is localhost, the server URL is user-configurable, so this can direct potentially sensitive context to an unintended or remote service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes session context to a persistent file without setting restrictive permissions or notifying the user, which can expose potentially sensitive memory/context data to other local processes or users depending on the environment. Because this is a session-start hook, it may run automatically and create artifacts the user does not realize are being stored.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends agent identity and session metadata to a local HTTP service automatically, without any user-facing disclosure or consent. Even though the destination is localhost, local services can still log, retain, or mishandle sensitive context, and silent transmission increases privacy risk in an auto-executed session hook.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Starting a background server process via nohup without clear disclosure can surprise users and leave a persistent service running beyond the expected session scope. In security-sensitive environments, undeclared background services complicate auditing and expand local attack surface, even if bound to 127.0.0.1.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function automatically extracts project signals and user questions from conversation text and writes them to persistent storage under the user's home directory without notice, consent, minimization, or filtering. This can retain sensitive prompts, personal data, secrets, or internal project information beyond the active session, creating privacy and data-retention risk if the machine, workspace, or logs are later accessed.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal