ClawHub

Elite Human Memory Hermes

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent local memory skill, but it can automatically read and persist long-term user context with broad triggers and limited consent or retention guidance.

Review before installing if you do not want an agent to maintain a durable local memory of your preferences, decisions, projects, and conflicts. Use it only with explicit memory-read and memory-write rules, inspect the memory/ files regularly, and avoid storing secrets, regulated data, or sensitive personal details unless you have clear deletion and retention controls.

SkillSpector (6)

By NVIDIA

Vague Triggers

Medium
Confidence
92% confidence
Finding
The auto-read trigger 'the current context feels incomplete or contradictory' is highly subjective and gives the agent broad discretion to access stored memory without a clear user request. In a memory skill that handles potentially sensitive long-term user data, this can cause unnecessary retrieval of persisted information and expand data exposure beyond user intent.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The auto-write criteria such as 'clear decisions,' 'repeated preferences,' and 'new long-running context' are underspecified and may cause the agent to persist information the user did not intend to store. Because writes modify files in the memory directory and can create durable records of sensitive preferences or contextual details, overbroad triggers create privacy and integrity risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide describes automatic reads, writes, and directory creation for persisted memory, but it does not clearly warn users that data may be stored on disk and later reused. In the context of a human-like memory system with semantic search and conflict logging, lack of transparency undermines informed consent and increases the chance of silent collection or modification of user data.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README states the agent will 'automatically begin using semantic search + metadata filtering' based on broad user references to past decisions, preferences, or context. In a memory skill, this can cause unintended invocation and collection/retrieval of sensitive context without sufficiently explicit user intent, increasing privacy and overreach risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly enables auto-write behavior and conflict logging that persist conversation-derived data to local files, but it does not require clear user disclosure or consent before storing potentially sensitive information. Because the skill is a memory system whose purpose is to capture user history, preferences, and contextual facts, the absence of an explicit privacy warning and opt-in mechanism materially increases the risk of unintentionally retaining secrets, personal data, or regulated information.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger 'the current context feels incomplete or contradictory' is subjective and overly broad, allowing the agent to initiate memory reads without a precise user request. In a memory skill that can access historical conversations and semantic indexes, this ambiguity can cause unnecessary retrieval of sensitive prior data and expand access beyond user expectations.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal