ClawHub

Inkwell

Security checks across malware telemetry and agentic risk

Overview

Mindkeeper is a disclosed memory setup skill, but it can retain and index sensitive conversations if users enable its optional automation features.

Install only if you want persistent agent memory. Before enabling transcript storage, QMD session indexing, or daily consolidation, decide what data may be captured, avoid storing secrets, review the cron prompt and memory updates, periodically delete old transcripts, and inspect or replace the curl-to-bash installer with a safer verified install path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation text uses very broad trigger phrases such as 'organizing agent knowledge' and 'setting up memory,' which can cause the skill to activate during ordinary user requests that are not asking for intrusive workspace modification. In this context, accidental activation is risky because the skill leads to filesystem setup and encourages automated consolidation behavior, potentially causing unexpected file creation or configuration changes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup description does not clearly warn that the skill is intended to enable automated file-writing, session knowledge extraction, transcript storage, and scheduled consolidation via cron or equivalent mechanisms. In a memory-management skill, that omission is security-relevant because users may consent to benign-looking setup without understanding that persistent data capture and recurring background processing are part of the design.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to install an automated cron job that reviews daily sessions and may access session transcripts and then write changes across multiple memory and project files, but it does not prominently warn about that breadth of access or the autonomous write behavior. This can cause users to enable background processing of potentially sensitive conversations without informed consent, increasing the risk of privacy leakage, over-collection, or unintended modifications to important files.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide explicitly encourages indexing memory files, knowledge bases, and session transcripts, but it does not prominently warn that these sources may contain secrets, personal data, or sensitive operational context. In a memory/bootstrap skill, this omission is meaningful because users are likely to enable broad indexing by default, increasing the chance of unintended exposure through search results or downstream tooling.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list includes common conversational phrases such as "goodnight" and "shut down," which can appear in ordinary dialogue and may unintentionally activate an end-of-day routine. In this skill's context, unintended activation is more dangerous because the routine can run consolidation workflows, modify memory files, and potentially stop the gateway, affecting availability and state integrity.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The phrase "or similar" leaves the activation boundary undefined, encouraging implementations that match loosely related language rather than a precise command. In a shutdown/sign-off workflow, this ambiguity increases the chance of accidental invocation of actions that update persistent memory or take the agent offline.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guidance explicitly instructs storing raw voice transcripts locally, but it does not require user consent, data minimization, or a clear retention/privacy notice. Because transcripts may contain sensitive personal, operational, or credential-like content, persistent storage creates a realistic privacy and data exposure risk if the workspace is accessed by other tools, users, backups, or logs.

Ssd 3

Medium
Confidence
96% confidence
Finding
The file prescribes persistent, append-only logging of raw transcripts and corrections in daily files, which creates a durable repository of natural-language sensitive data. Even with gitignore, local plaintext retention increases the chance of disclosure through local compromise, syncing, backups, support bundles, or accidental reuse by other agent components.

Ssd 3

Medium
Confidence
89% confidence
Finding
The recommendation to echo raw transcript text back can unnecessarily re-display sensitive spoken content, including names, URLs, account details, or confidential instructions. While intended for verification, "always echo" behavior broadens exposure in shared screens, chat logs, notifications, and downstream message retention systems.

External Script Fetching

High
Category
Supply Chain
Content
wsl --install

# Inside WSL2:
curl -fsSL https://bun.sh/install | bash
bun install -g @tobilu/qmd
```
Confidence
97% confidence
Finding
curl -fsSL https://bun.sh/install | bash

Chaining Abuse

High
Category
Tool Misuse
Content
wsl --install

# Inside WSL2:
curl -fsSL https://bun.sh/install | bash
bun install -g @tobilu/qmd
```
Confidence
96% confidence
Finding
| bash

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal