ClawHub

Sophie Mem0

Security checks across malware telemetry and agentic risk

Overview

This is a real long-term memory skill, but it can automatically store personal conversation details and its privacy wording understates external API data flow.

Review before installing. Use this only if you are comfortable with long-term storage of personal conversation details and possible processing by the configured model and embedding providers. Avoid auto mode for sensitive chats, protect the config file and Qdrant instance, and verify that listing and deleting memories works before relying on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The document claims there is 'no third-party data transmission' while earlier configuration explicitly sends prompts and embeddings to remote OpenAI-compatible APIs. This is a material privacy and security misrepresentation because users may store sensitive long-term memories under the false assumption that data never leaves the local environment.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The auto-trigger conditions are broad everyday phrases such as self-introductions, preferences, corrections, reminders, and emotional statements, making accidental capture of ordinary conversation likely. In a long-term memory system, over-collection increases privacy exposure, stores irrelevant or sensitive data without clear intent, and can persist mistakes across sessions.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill advertises automatic identification and persistent storage of user information across sessions, but does not document explicit notice, consent, or a safe default before collecting personal data. This creates a meaningful privacy risk because users may disclose names, work, preferences, reminders, and emotional state without understanding they are being permanently stored.

Missing User Warnings

High
Confidence
96% confidence
Finding
The configuration shows use of remote LLM and embedding APIs, but the documentation does not clearly warn that user memory text may be transmitted to those providers for processing. Because this skill handles persistent personal memory, lack of transparent disclosure about remote processing materially increases privacy and compliance risk.

Missing User Warnings

High
Confidence
95% confidence
Finding
The `auto` command automatically extracts and persists memories from arbitrary user text with no notice, consent, preview, or confirmation step. Because the extracted categories include identity, preferences, habits, plans, facts, and emotions, normal conversation can be silently turned into durable profile data, creating a meaningful privacy and compliance risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code sends `raw_text` derived from the full user utterance to the memory backend as metadata, which can include sensitive information beyond the summarized memory. Transmitting and persisting raw conversation content without a privacy warning or minimization greatly increases the chance of storing secrets, health details, financial data, or other unintended personal information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The health check prints a prefix of the configured API key to stdout, which leaks credential material into terminal history, logs, screenshots, or shared support output. Even partial secret disclosure weakens secrecy guarantees and can aid token identification, correlation, or targeted exfiltration in multi-user or monitored environments.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill is explicitly designed to automatically capture and retrieve personal information across sessions as long-term memory. In this context, that behavior is security-relevant because persistent cross-session storage amplifies harm from over-collection, unauthorized access, model misuse, or retention of sensitive data beyond user expectations.

Ssd 3

Medium
Confidence
93% confidence
Finding
The module is explicitly designed to automatically listen for and store user memories, including personal details from ordinary conversation. In this skill context, that behavior is more dangerous because it is not narrowly limited to a specific business need and appears to persist data broadly, increasing privacy exposure and the risk of overcollection.

Ssd 3

Medium
Confidence
97% confidence
Finding
The trigger patterns intentionally extract sensitive and profiling-rich information such as name, profession, age, location, habits, plans, corrections, workplace, residence, and emotional state from casual text. This broad semantic capture materially increases risk because it enables silent profiling and storage of sensitive personal context far beyond what many users would expect from normal conversation.

Ssd 3

Medium
Confidence
95% confidence
Finding
Each extracted memory object preserves the original utterance in the `raw` field, which means the system retains much more data than the summarized memory requires. Keeping raw inputs alongside derived memories increases the blast radius of any backend leak, misuse, or accidental disclosure because unstructured text often contains additional sensitive details.

Ssd 3

Medium
Confidence
98% confidence
Finding
When writing to the external memory backend, the code includes `raw_text` metadata taken from the conversation, directly coupling extracted memories with source text. In this context that is especially dangerous because the backend may be external to the immediate runtime, so sensitive conversation data is propagated and retained outside the original interaction boundary.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal