ClawHub

🧠 Tiered Recall - 分层回忆系统

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local memory-recall skill, but it can bring prior workspace notes and project snippets into future assistant context.

Install this only in workspaces where you intentionally want prior memory files and selected project context reused by the assistant. Keep secrets, credentials, private notes, and sensitive source files out of MEMORY.md, memory logs, and configured project key files; review the broad project keywords if recalls pull in unrelated context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation advertises file read/write-capable scripts but does not declare permissions, which undermines informed consent and security review. In a memory/recall skill, undeclared filesystem access is meaningful because the feature inherently touches historical logs and indexes, and could read or modify broader workspace files if not constrained.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The declared purpose is memory recall, but the detected behavior expands into project detection, topic classification, generating projects.json, and reading key files from project paths for preview. That mismatch is dangerous because users and integrators may grant trust based on a narrow recall function while the skill performs broader workspace discovery and content access, increasing the chance of unintended data exposure.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
In project recall mode, the script goes beyond loading the slim index and directly reads files from project paths listed in metadata, then emits content previews. That behavior expands the tool from index-based memory recall into arbitrary workspace file disclosure, which can expose secrets, source code, or sensitive documents if project metadata is stale, overbroad, or attacker-influenced.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly documents automatic loading of MEMORY.md, recent logs, active projects, and an index on new sessions, but it does not warn users that these sources may contain sensitive information that will be surfaced into model context. In a memory/recall skill, silent default ingestion increases the chance of unintended disclosure of private project data, credentials, internal notes, or cross-project information to the assistant or downstream integrations.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The manifest enables automatic activation on session start and grants both file and memory read/write permissions, but it does not present any user-facing warning or consent mechanism about automatic data access and possible modification. In a memory-oriented skill, this increases the risk of unexpected persistence, overwriting of workspace artifacts, or collection of sensitive contextual data without the user clearly understanding the privacy and integrity implications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script prints memory contents, recent logs, project metadata, topic excerpts, and file previews directly to stdout without a clear sensitivity warning or confirmation step. In an agent/tooling context, stdout is often captured, relayed, or logged elsewhere, so this can unintentionally disclose sensitive workspace information beyond the user's immediate expectation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal