ClawHub

Memory Keeper

Security checks across malware telemetry and agentic risk

Overview

This backup skill is coherent, but it can copy private agent memory and optional extra files to any git remote and includes unsafe token/logging guidance.

Review carefully before installing. Use a local archive or a private repository you control, inspect the files before any push, avoid broad --allow-extra patterns, do not embed tokens in remote URLs, and clean or redact memory logs if a remote URL ever contained credentials. Avoid cron/heartbeat backups unless ongoing archival of future memory is intentional.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This script can push archived memory files to an arbitrary remote repository, which can exfiltrate highly sensitive agent context such as credentials, prompts, configuration, and operational history. In the context of a memory backup skill, this is especially dangerous because the targeted files are explicitly likely to contain sensitive data, and the manifest emphasizes backup/transfer behavior that could normalize sending them elsewhere.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The --allow-extra option broadens the tool from backing up defined memory/context files to copying arbitrary files and directories matched from the workspace. That creates a clear path to overcollection and exfiltration of unrelated sensitive material, especially when combined with git commit/push support to a remote destination.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The README explicitly states that every successful run appends a timestamped entry to `memory/YYYY-MM-DD.md`, which means the skill modifies user memory/journal data as a side effect of backup operations. While this appears intended for auditability rather than abuse, the documentation does not prominently warn users that running the backup tool will mutate files in the workspace, which can surprise users, pollute journals, or interfere with workflows that expect snapshotting to be non-destructive.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description promotes `--remote ... --push` for archiving agent memory files but does not explicitly warn that this sends potentially highly sensitive context documents to an external repository. Given the files listed include MEMORY.md, AGENTS.md, SOUL.md, USER.md, and other internal state/configuration artifacts, omission of that warning materially increases the chance of accidental data exfiltration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly instructs users to archive sensitive agent memory files and push them to a remote Git repository, but it provides no warning that these files may contain secrets, internal instructions, credentials, or highly sensitive context. In the context of a memory-backup skill, this materially increases the chance of accidental data exfiltration because users are encouraged to transmit broad workspace state off-host without any sensitivity review or redaction guidance.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The troubleshooting text suggests embedding a personal access token and using `GIT_ASKPASS=echo` with the token, which is unsafe because tokens can be exposed in shell history, process listings, logs, CI output, or copied command transcripts. This is especially dangerous here because the skill handles archived memory/context data, so compromise of the token can combine repository access with exposure of sensitive agent backups.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill handles files that are very likely to contain sensitive agent memory and configuration, yet it provides no explicit warning, review step, or secret scanning before archiving and potentially pushing them remotely. In this skill context, the absence of disclosure safeguards materially increases the risk of accidental leakage because users may assume backup behavior is routine and safe.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal