ClawHub

Memory Master

Security checks across malware telemetry and agentic risk

Overview

This memory skill is not clearly malicious, but it rewrites agent-wide instruction files and installs broad autonomous behaviors that go beyond memory management.

Install only after backing up and reviewing AGENTS.md, MEMORY.md, and HEARTBEAT.md. Treat initialization as an agent-behavior migration, not just a memory library install. Remove or disable heartbeat instructions for email/calendar/social checks, commit/push actions, and automatic web learning unless you explicitly want those behaviors. Do not use it for sensitive conversations until retention, deletion, logging, and local storage controls are clear; remove the sample SQL INSERT rows before applying the database migration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (29)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill advertises no declared permissions, yet static analysis detected environment access capabilities. Undeclared capability use undermines the trust model for users and reviewers because the skill may read sensitive configuration, tokens, or runtime secrets without clear disclosure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose frames the skill as a memory/compression system, but the analyzed behavior includes broad file-system modification, backup creation, workspace scanning, indexing, persistence management, and deletion/archive operations. This mismatch is dangerous because users may authorize or install the skill expecting limited memory functionality while it can alter local files and maintain extensive persistent state across the workspace.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The README makes a strong privacy/security claim that the system is '100% Local' and that nothing leaves the machine, yet elsewhere it explicitly states the agent may automatically search the web when knowledge is insufficient. That contradiction can mislead users into enabling or trusting the skill in sensitive environments, causing unintended network access and possible disclosure of prompts, metadata, or derived sensitive context.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The incremental recompression logic claims to enforce age-based cache invalidation, but getCacheTimestamp() always returns the current time, so cached entries never appear old. This can cause stale summaries to be reused indefinitely, defeating recompression safeguards and potentially propagating outdated memory/compression results throughout the skill.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file advertises and schedules L1→L2 migration, but the implementation is effectively a stub that never moves entries. In a memory-management system, this can break retention, archival, and deletion assumptions, causing data to remain in a warmer tier longer than intended and undermining lifecycle controls.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The delete() method attempts to remove a backing file via memory.filePath, but stored memory objects never persist filePath when created. As a result, deletion reports success after removing cache/index entries while the on-disk memory file can remain, creating a data-retention mismatch that can expose supposedly deleted sensitive memory content.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The heartbeat template expands the agent's behavior far beyond memory management into monitoring email, calendar, social media, weather, and performing repository operations. In a periodic/heartbeat context, this encourages autonomous access and action across external services and local systems without clear user consent, scope limits, or safety gating, creating a real risk of privacy violations and unintended side effects.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The template explicitly authorizes proactive actions such as checking projects, updating documentation, and committing/pushing changes during heartbeat runs. That is dangerous because heartbeat flows are recurring and low-friction; combining them with write and networked repository actions can lead to unauthorized code changes, accidental data loss, or supply-chain impact without a contemporaneous user review.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The document extends a memory-management skill into broad agent orchestration behavior, including task delegation to sub-agents and session-management rules. This increases the skill's authority and operational scope beyond its stated purpose, creating a confused-deputy risk where installing a memory skill silently changes how the agent performs unrelated actions.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The skill includes social/chatroom participation and reaction policies that are unrelated to memory management. While not directly exploitable on their own, these instructions broaden behavior in unexpected ways and can alter agent communications without clear user consent or separation of concerns.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill authorizes automatic network search, learning, and persistence into the knowledge base whenever local memory is insufficient. This creates unbounded external data ingestion and file modification from a memory component, which can expose prompts or metadata to external services, import malicious or low-integrity content, and persist it for future sessions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The test file spawns a shell via child_process.execSync to run a destructive directory-deletion command. Even though it is intended for cleanup, invoking the OS shell is unnecessary for a memory/compression test and increases risk because shell-based deletion is platform-specific and can become dangerous if the path is malformed, attacker-controlled, or unexpectedly resolves outside the test workspace.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The design explicitly introduces persistent multi-tier storage with TTLs, archiving, and long-term memory handling for conversation data, but it does not mention consent, privacy notices, retention controls, or data minimization. In a memory skill, storing user interactions across hot/warm/cold tiers materially increases privacy risk because sensitive conversation content may be retained longer than users expect and later reused or exposed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The knowledge-graph phase describes extracting entities and relationships such as people, projects, tasks, skills, and social links from user memory, but the design does not warn that freeform conversations will be converted into structured profiles. That transformation raises the sensitivity of the data because structured graphs are easier to search, correlate, and misuse than raw text, potentially exposing personal, organizational, or project information.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The log describes memory storage, file persistence, and statistics features for user memory handling without any mention of consent, minimization, retention limits, or privacy safeguards. In a memory-oriented agent skill, this increases the risk that personal or sensitive user data will be collected and persisted in ways users do not expect, especially since the same document later admits sensitive-data filtering is not yet implemented.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The roadmap explicitly plans automatic memory capture while providing no user warning, consent model, or guardrails for collecting personal information. In the context of an AI memory system, automatic capture materially raises privacy and compliance risk because the system may silently retain sensitive conversations, credentials, or behavioral data without informed user approval.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises automatic web searching/learning without a prominent warning that this causes network activity and may transmit data off-device. In an agent setting, users may discuss confidential material and reasonably rely on the README's local-storage framing, making silent outbound access a meaningful privacy and policy risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that discussions are automatically recorded, but does not clearly warn that user content and conclusions will be written to local files. This can create privacy, compliance, and data-retention issues, especially if users assume the assistant is ephemeral or do not realize sensitive conversations will persist on disk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README promotes persistent memory storage, iterative compression, and lineage tracking but does not warn users that the system may retain sensitive conversation history, preferences, and other personal data over time. In a memory-management skill for AI agents, omission of retention and privacy guidance increases the risk of over-collection, unexpected persistence, and unsafe handling of sensitive data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The upgrade instructions tell users to apply a SQLite schema migration directly to an existing database without any warning to back up data first. If the migration is incorrect, interrupted, or run against an unexpected schema version, users could lose historical memory data or corrupt the database permanently.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The roadmap explicitly plans automatic memory capture based on trigger phrases such as decisions, preferences, and action items, but it does not describe a clear user-facing notice, informed consent flow, or default opt-in controls. In a memory system, this can lead to silent collection and long-term storage of sensitive conversational content, especially because nearby roadmap items also emphasize persistence, compression, retrieval, and knowledge graph extraction, increasing the privacy risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This migration seeds hard-coded test/example rows directly into the production-facing `memories` table as part of a schema update, with no environment guard, feature flag, or separate seed path. In a memory system, this can contaminate live data, distort lineage/compression analytics, and potentially expose misleading or non-user-authored records to downstream agents or application logic.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The compressor logs the filled prompt, which includes raw user content and possibly prior summaries, directly to the console. In a memory system, that content may contain sensitive conversation history, secrets, or personal data, and console logs are often collected by centralized logging systems where unintended parties can access them.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The module persistently writes all in-memory entries, including arbitrary `content` and `metadata`, to a local JSON file without any encryption, access control, masking, or explicit consent mechanism. In a memory system, this can expose sensitive prompts, secrets, personal data, or agent state to other local users, backups, logs, or compromised processes, making the issue more concerning in this skill context than in a purely non-sensitive cache.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The store persists memory contents to disk automatically using a predictable local path, which can include sensitive conversation or memory data. In an AI memory system, silent persistence increases the risk of unintended retention, local disclosure through filesystem access, backups, logs, or multi-user host exposure.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal