ClawHub

super-memori

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a local memory tool, but it also performs broad host filesystem inventory and automatic maintenance in ways users should review before installing.

Install only if you are comfortable with a local memory system that can write durable memory files, run a loopback semantic helper, and inventory parts of your local workspace/cache during maintenance. Before enabling the startup hook or running index-memory, review the hygiene scan roots, Qdrant URL, hot-buffer directory, and command-log learning behavior; keep Qdrant local unless you intentionally want memory content sent elsewhere.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (24)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return False, f"semantic daemon script missing: {daemon_script}"
    proc = None
    try:
        proc = subprocess.Popen(
            ["python3", str(daemon_script)],
            cwd=str(WORKSPACE),
            env=os.environ.copy(),
Confidence
91% confidence
Finding
proc = subprocess.Popen( ["python3", str(daemon_script)], cwd=str(WORKSPACE), env=os.environ.copy(), stdout=subprocess.DEVNULL, stde

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The script sends extracted memory content and metadata to whatever Qdrant URL is supplied, with no enforcement that the endpoint is localhost, no TLS requirement, and no authentication checks. In a memory skill handling potentially sensitive long-term agent data, this can lead to unintended exfiltration if the URL is remote, intercepted, or misconfigured, making the 'local-first' context increase the severity of this mismatch.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The deduplication/update logic uses an MD5 of the file path rather than the file contents or modification state, so a changed file at the same path may be treated as already indexed and skipped. In a memory system, this creates stale or incorrect retrieval state, which can silently preserve outdated sensitive data or omit newer corrections, undermining integrity of memory operations.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This script reads arbitrary file content and stores a snippet plus embedding in persistent memory without any classification, consent, or review gate. In a memory skill, that is risky because users or upstream agents may accidentally ingest secrets, credentials, personal data, or unsafe instructions into long-term storage, expanding the blast radius of a single mistake.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The command named and described as index maintenance performs materially broader actions than reindexing, including recording agent-change history, compacting buffers, scanning system hygiene, planning cleanup, and refreshing operational memory. This violates least surprise and expands the blast radius of a routine maintenance command, making it easier for callers to trigger unrelated state changes or reconnaissance on the host under the guise of harmless indexing.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
System hygiene scanning and cleanup planning are out of scope for a memory indexing utility and create unnecessary capability to inspect broader host state. Even with destructive cleanup disabled here, the scan and plan expose environmental information and normalize privileged, unrelated operations inside a memory skill, increasing the chance of misuse or later expansion into harmful maintenance behavior.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The migration logic rewrites learning-file relations to fixed absolute paths under a specific user's home directory. This is unsafe because it silently mutates data to environment-specific targets that may not exist on another host, can leak host layout details, and can redirect future tooling to unintended files outside the skill's portable data model.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The script claims deterministic repair behavior, but one repair path depends on embedded host-specific absolute paths. That mismatch can cause inconsistent results across machines and makes 'repair' operations non-portable and misleading, increasing the chance of data corruption or broken references during automated maintenance.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The system hygiene feature scans not just agent memory but also broad host locations such as ~/.cache and ~/.local/share using recursive traversal. For a memory skill, this materially increases host visibility and can expose unrelated files, metadata, and operational details beyond user expectations or least-privilege needs.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill can independently start a background semantic daemon, which changes the runtime state of the host outside simple data retrieval. In the context of an agent skill, undisclosed process creation increases operational risk and creates a larger attack surface if the daemon is vulnerable or unexpectedly binds interfaces.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code defines scan roots that include the entire workspace plus user home cache/share directories, which exceeds a memory-skill's stated purpose and creates unnecessary filesystem inventory of unrelated user data. In an agent setting, this broad collection can expose sensitive filenames, application artifacts, and operational metadata without a clear need-to-know boundary.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The scanner recursively catalogs arbitrary files by size, age, and naming heuristics, including logs, backups, temp files, and generic disk bloat unrelated to agent memory. This turns a memory utility into a general host inventory mechanism, increasing privacy risk and creating a surveillance-like record of user filesystem contents.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The cleanup planner generates structured plans for handling arbitrary filesystem artifacts outside the skill's core memory domain. Even if it does not delete files directly here, it operationalizes decisions about user data and can encourage downstream destructive actions on unrelated system files.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough to match ordinary conversational requests about remembering or recalling prior work, which can cause this powerful skill to activate in many contexts. Because the skill includes write, indexing, maintenance, and host-inspection pathways, overbroad activation increases the risk that an agent routes sensitive requests into a capability-rich tool without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script copies raw command-log content into persistent JSON files under a pending review directory, which can capture sensitive commands, file paths, hostnames, tokens, or operational details without any explicit disclosure, redaction, or access-control step. In a memory skill whose purpose is to retain and reuse prior activity, this increases privacy and secret-retention risk because failed commands are being systematically persisted for later recall.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script uploads file content (truncated in payload, but full text used for embedding) to Qdrant without any explicit notice, consent, or confirmation about where the data is going. Because this skill is marketed as local-first memory and may process sensitive agent recollections, lack of disclosure increases the risk of accidental privacy and data-handling violations when operators point it at a non-local service.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
This code writes modified content back to learning files immediately after creating a backup, without an explicit confirmation barrier at the mutation point. In a memory-repair skill, silent mutation is risky because an agent or caller can trigger persistent state changes that alter retained knowledge unexpectedly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This code persistently records detailed system-change history, including exact paths, packages, services, command summaries, rollback hints, and timestamps, into markdown/JSONL files under memory storage. In a local-first memory skill, that data can expose sensitive operational details and create a privacy/security issue if other local users, processes, backups, or later agent workflows can read it, especially because this file does not enforce restrictive permissions, redaction, encryption, or an explicit consent/disclosure boundary.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The hot buffer writes recent change events to /dev/shm or /tmp, which are shared runtime locations that may be readable by other local users or processes depending on system configuration. Because the entries can include affected paths, packages, services, and change summaries, this creates a local information-disclosure surface and a weaker trust boundary than private application storage.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This file starts a background daemon without any user-facing disclosure or warning. Even if intended for local functionality, silent process creation is dangerous in agent tooling because it can surprise operators, persist beyond a session, and mask unintended resource consumption or service exposure.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The code sends memory content and queries over HTTP to local services, but this file provides no user-facing notice that private memory data leaves the main process. In a memory skill, that matters because sensitive recalled content may be forwarded to auxiliary services unexpectedly, which becomes more dangerous if those endpoints are misconfigured or compromised.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script is configured to scan sensitive filesystem areas without any built-in user-facing notice, consent, or warning at the point of operation. In a local agent context, silent traversal of workspace and home-cache paths can violate user expectations and expose metadata about unrelated applications and files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persists discovered file metadata, including paths and file characteristics, into a findings file without visible disclosure that this inventory will be stored. Persisting this data compounds the privacy risk because sensitive path information remains available after the scan and may later be consumed by other components.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
proc = subprocess.Popen(
            ["python3", str(daemon_script)],
            cwd=str(WORKSPACE),
            env=os.environ.copy(),
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
            start_new_session=True,
Confidence
96% confidence
Finding
os.environ.copy()

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal