ClawHub

Engram MCP Server

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local memory server, but it gives agents broad authority to persist personal/tool-use history and import remote memory packs with limited consent controls.

Install only if you are comfortable with an MCP server that lets your agent save conversation details and tool activity into local memory files, share some memories across experts, write Engram markdown in your project, and clone remote Engram packs. Before use, edit or disable automatic capture/logging prompts for personal or sensitive topics, install packs only from trusted sources, avoid leaving the web UI running unnecessarily, and periodically review or delete .claude/engram and ~/.engram memory files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (47)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
}

    try:
        subprocess.run(
            ["git", "clone", source, str(target_dir)],
            capture_output=True,
            text=True,
Confidence
93% confidence
Finding
subprocess.run( ["git", "clone", source, str(target_dir)], capture_output=True, text=True, check=True, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises only a high-level MCP memory server purpose, but the manifest does not declare the powerful capabilities it appears to require, including shell, network, file read/write, and MCP access. This weakens user consent and review because operators cannot accurately assess the trust boundary before installation or use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared description frames the skill as expert-memory injection, but the observed behavior set is substantially broader: remote installation, network registry fetches, arbitrary pack creation/editing, memory persistence, tool-trace capture, and a web UI/API. This mismatch is dangerous because users may authorize a seemingly narrow skill while unknowingly granting capabilities that can modify files, persist sensitive data, and expose services locally.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The installation metadata runs a remote script directly via curl piped to sh, which executes unpinned code from the network at install time. If the upstream host, transport path, or script content is compromised, installation can lead to arbitrary code execution on the user's system.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The loader persists structured tool execution traces, including tool name, intent, argument summaries, results, status, optional tags, and conversation identifiers, into long-lived memory without any visible consent, minimization, or sensitivity filtering. In an MCP setting, tool traces can contain secrets, personal data, internal paths, or operational context, so retaining them creates a meaningful privacy and data-exposure risk if packs are later read, synced, or inspected.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README promotes automatic capture of user preferences and key information, plus cross-expert shared memory, without clearly requiring informed user consent, disclosure, minimization, or controls for sensitive data. In a memory-sharing MCP server, this can cause silent collection and propagation of personal data across multiple agents and contexts, increasing privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The system-prompt guidance instructs the AI to record every tool invocation, including external tools, into persistent tool-trace memory, but does not pair that with a clear notice to users that their actions and derived metadata are being logged. This creates a risk of covert activity logging and retention of potentially sensitive operational details, prompts, arguments, and outcomes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file provides postpartum exercise guidance for a potentially medically sensitive population while only mentioning an internal assessment step ('先确认无医学禁忌') rather than giving the user a clear warning to obtain professional evaluation. In the context of an AI fitness coaching skill, users may treat this as actionable health advice and begin training despite unresolved postpartum complications such as diastasis recti, pelvic floor dysfunction, pain, or bleeding.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow provides exercise and nutrition guidance, including handling of pain cases, without clearly warning users that this is not medical advice or directing them to qualified clinicians for non-acute pain, underlying conditions, or individualized assessment. In a fitness-coaching skill, users may over-rely on the agent for health-related decisions, which can delay appropriate evaluation or worsen injuries and medical conditions.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The activation description is broad enough to match common topics like philosophy, life confusion, and learning, which can cause this persona skill to load in situations beyond the user's actual intent. While not directly enabling code execution or data theft, over-broad triggering can steer conversations into an unintended persona, degrading reliability and potentially overriding safer or more appropriate skills.

Natural-Language Policy Violations

Medium
Confidence
72% confidence
Finding
The description is written entirely in Chinese and binds the skill to a Chinese-language philosophical persona without stating whether it supports other user languages. This can cause unintended activation or response-language mismatch, especially in multilingual environments, leading to confusion, reduced user control, and possible misinterpretation of advice or historical content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The rules explicitly instruct the agent to elicit and persist sensitive personal life information, including life problems, work/family/relationship circumstances, and value-laden attitudes, during onboarding and normal conversation. There is no user-facing notice, consent step, retention limit, or minimization guidance, which creates a privacy risk and increases the chance of collecting more sensitive data than necessary for the conversation.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation description is broad enough that the skill may load in many loosely related situations, such as general discussion of Japanese culture, exams, travel, or language practice. Over-broad activation can cause unintended persona injection and context switching, which may override user intent or introduce irrelevant guidance, though this file does not indicate direct data exfiltration or code-execution risk.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The description hard-codes a Japanese native-speaker persona and usage scenarios without indicating that the user can choose language, tone, or locale preferences. This can lead to unwanted behavior, reduced accessibility, or misleading assumptions about how the assistant should respond, especially for users who want explanations in another language.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description uses broad activation criteria like preparing for technical interviews, mock interviews, algorithms, or system design without defining clear boundaries for when the skill should be invoked. In an MCP or agent-routing context, this can cause overbroad triggering and unintended persona injection, leading the assistant to activate specialized behavior in contexts the user did not explicitly request.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
The description is written as a Chinese-language persona and appears to bias the skill toward a specific language and presentation style without any documented user opt-in or locale constraint. This can override user expectations or system defaults, causing unwanted language switching or persona steering that may interfere with normal assistant behavior.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation description is broad enough to match common requests involving roleplay, plot exploration, or writing inspiration, which can cause the skill to activate outside a narrowly intended scope. In a memory/persona skill, overbroad activation can unexpectedly steer model behavior, inject fictional framing, or bias outputs when the user did not explicitly ask for this character context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to collect and persist user story goals, relationship details, and creative preferences during the first conversation, but it provides no requirement to notify the user, obtain consent, or offer a way to decline. Even though the data is oriented toward creative writing, it can still reveal sensitive preferences, interpersonal themes, or behavioral patterns, and silent retention increases privacy and trust risks.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger text is broad enough to activate on common conversational themes such as loneliness, casual chatting, or general college memories, which can cause the system to load a specific persona without clear user intent. This creates unwanted behavioral steering and increases the chance of inappropriate personalization or context injection during ordinary interactions.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The description defines a fixed persona ('你的老朋友阿凯') and social relationship context that may be imposed on the user without consent. This can mislead users, blur boundaries between assistant and fictional relationship roles, and steer responses into an emotionally manipulative or inappropriate mode without explicit opt-in.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The file defines a strong persona, tone, and speaking style that can cause the agent to respond in a fixed identity and linguistic pattern without explicit user consent. This is risky because it can override user-preferred tone, create deceptive social framing ('old friend'), and reduce transparency about whether the model is roleplaying versus providing neutral assistance.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill repeatedly instructs the agent to capture and persist sensitive personal data, including life changes, worries, emotional state, relationship issues, family matters, and shared history, without any notice, consent flow, minimization rule, or retention boundary. In an MCP memory context, this creates a real privacy and safety risk because users may unknowingly disclose sensitive information that becomes stored and reused across sessions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to capture highly personal information such as current life circumstances, marriage, income changes, regrets, career lessons, and major life events, but it shows no user-facing consent, minimization, retention, or sensitivity warning. In a memory-oriented skill, this increases privacy risk because users may disclose sensitive personal data during reflective conversations without realizing it will be stored as persistent memory or knowledge.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The description says the skill should load whenever newcomers ask about project background, technology choices, or troubleshooting, which are very common interactions in a development workflow. Because the activation boundary is broad and not tightly scoped, the skill could be invoked in many ordinary conversations and inject persistent project/persona context where it was not explicitly requested, increasing the chance of overreach, confusion, or unintended influence on responses.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to collect and persist personal onboarding data such as name, role, team, technical background, and work history, but provides no notice, consent flow, minimization rule, or retention boundary. In an MCP context, this is dangerous because the agent may silently build a durable profile of employees from casual conversation, creating privacy, compliance, and trust risks beyond the immediate task.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal