ClawHub

Memory MCP

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it should be reviewed carefully because it directs agents to persist conversations, profile users, extract entities, and share memory content without clear consent or retention safeguards.

Install only if you intentionally want persistent cross-session memory and trust the configured memory MCP server. Before use, confirm where memories are stored, how to delete/export them, whether persona or mood tracking can be disabled, and require explicit approval before sharing any stored memory with another user.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The README identifies this as the 'Memory MCP OpenClaw Skill' but links to a different path (`memory-mcp-sql/skill/SKILL.md`), creating a skill identity mismatch. In an agent-skill context, incorrect cross-references can cause operators or automated loaders to review one skill while actually loading instructions from another, which increases the risk of prompt confusion, misconfiguration, or accidental trust in the wrong artifact.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The README states that this directory contains the instruction manual for this skill, but the only linked manual points to a different skill location. This inconsistency is dangerous because users, auditors, or tooling may inspect the README in good faith yet be directed to another skill's instructions, undermining provenance checks and making supply-chain style substitution or review bypass easier.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README advertises persona tracking, mood tracking, and learning-pattern memory without any visible warning, consent model, retention guidance, or privacy boundary. In this skill context, the capability is specifically designed for persistent cross-session memory and behavioral profiling, which makes silent collection of sensitive personal inferences more dangerous because it can accumulate detailed user profiles without informed consent or clear limits.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill prominently enables persistent storage of conversations, persona traits, mood, learning patterns, and cross-session context without a clear user-facing privacy warning or consent expectation. This is dangerous because agents may collect and retain sensitive behavioral data beyond what users reasonably expect, increasing privacy, compliance, and misuse risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documented sharing capability allows stored content to be sent to other users without any visible warning about disclosure sensitivity, approval requirements, or access-control expectations. This is dangerous because an agent could share personal or confidential memory contents with another account without informed consent or adequate review.

Ssd 3

Medium
Confidence
94% confidence
Finding
The workflow instructs the agent to store user and agent conversation content during the session and save summaries at the end by default, normalizing broad retention of conversational data. This is dangerous because it can capture secrets, personal data, or sensitive context indiscriminately, creating unnecessary long-term exposure if the memory store is accessed, shared, or breached.

Ssd 3

Medium
Confidence
92% confidence
Finding
Encouraging entity extraction from user messages to build a persistent knowledge graph creates durable profiles about the user and related individuals across sessions. This is dangerous because it can collect third-party personal information and relational context without consent, amplifying surveillance and privacy harms beyond the immediate conversation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal