ClawHub

Life Memory Logger - 生活记忆记录器

Security checks across malware telemetry and agentic risk

Overview

This is a local personal-memory skill with real privacy considerations, but its behavior is disclosed, purpose-aligned, and not malicious.

Install only if you are comfortable keeping relationship notes in local memory files. Avoid storing highly sensitive health, financial, conflict, or third-party private information unless necessary and consented to; periodically review or delete saved memories; and treat the referenced helper scripts as unavailable unless separately supplied and reviewed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The README shows very broad natural-language examples like '记住 Jake 的生日是 5 月 20 日' and '提醒我给妈妈买生日礼物' without defining an explicit trigger phrase or invocation boundary. In an agent setting, this can cause accidental activation or over-collection of personal data from ordinary conversation, especially because the skill handles sensitive interpersonal memory and reminders.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill is explicitly designed to store birthdays, preferences, promises, and reminders about real people, but the documentation does not warn users that this is sensitive personal data. That omission increases the risk of privacy harm, uninformed consent problems, and inappropriate retention of third-party personal information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly stores highly sensitive personal data such as health information, relationship details, birthdays, and conversation summaries in local memory files, and also defines scheduled jobs that process and surface that data. However, the user-facing description does not provide a clear upfront warning about persistent storage and automated reminders, which undermines informed consent and increases privacy risk if users enter sensitive information without realizing it will be retained and reprocessed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal