ClawHub

Clawng Term Memory

Security checks across malware telemetry and agentic risk

Overview

This skill openly backs up agent memory to GitHub, but it gives itself broad automatic authority over sensitive agent files with limited review safeguards.

Install only if you deliberately want agent memory, rules, identity files, and installed skills stored in a private GitHub repository. Use least-privilege SSH or repo-scoped credentials, review diffs before pushing, keep secrets out of tracked files, and avoid the automatic merge/synthesis flow until the /tmp output, stdout logging, and human-review gaps are addressed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script aggregates all agents' MEMORY.md contents into a plaintext file under /tmp, which is outside the repository's normal access controls and lifecycle. Because these memory files can contain sensitive prompts, credentials, internal notes, or other agent state, writing them to a temporary shared filesystem and then printing them to stdout materially increases the chance of disclosure to other local users, logs, or monitoring systems.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The phraseology instructing use 'whenever core knowledge files are modified' and for common actions like showing history or diffs creates a very broad activation surface. In practice, this can cause routine edits to trigger automatic commit/push behavior on sensitive files without a deliberate review step, increasing the chance of accidental data exfiltration.

Missing User Warnings

High
Confidence
96% confidence
Finding
The description emphasizes portability and persistence but does not prominently warn that agent memory, identity, operating rules, and installed skills may be pushed off-machine to GitHub. That omission is dangerous because operators may store secrets, private user context, or internal instructions in these files and unknowingly replicate them to a remote service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The staging path is created under /tmp and the script provides no warning, consent, or safeguards before collecting potentially sensitive memory data from all agent branches. In the context of this skill, which explicitly persists and synchronizes core knowledge across machines, MEMORY.md is likely to contain high-value internal state, so placing merged plaintext in a commonly shared temporary location meaningfully raises exposure risk.

Ssd 3

High
Confidence
97% confidence
Finding
The core workflow directs the agent to persist and push SOUL.md, MEMORY.md, and other knowledge artifacts as a matter of routine operation. These files are likely to contain sensitive prompts, private memories, operational rules, and potentially user-derived data, so mandatory automatic sharing creates a direct natural-language data leakage channel.

Ssd 3

High
Confidence
98% confidence
Finding
The multi-agent workflow instructs collection of MEMORY.md from multiple agent branches and synthesis into a shared memory artifact. This substantially increases sensitivity because information from separate machines, contexts, or users can be aggregated, cross-contaminated, and redistributed, amplifying both privacy and confidentiality risks.

Ssd 3

Medium
Confidence
92% confidence
Finding
The 'Every time, no exceptions' auto-commit rule removes discretion and safety checks before persisting changes to sensitive knowledge files. That rigidity is dangerous because even temporary notes, mistaken edits, secrets, or harmful prompt injections can be committed and pushed before anyone reviews them.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal