ClawHub

Agent Brain

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed memory skill, but it broadly and silently stores user/project information and can send stored memory to configured remote services, so users should review it before installing.

Install only if you want an agent to maintain persistent cross-session memory. Review the memory database regularly, keep AGENT_BRAIN_SUPERMEMORY_SYNC=off unless you intentionally use cloud sync, avoid configuring remote embeddings to untrusted URLs, and do not use it in conversations containing sensitive personal, business, legal, medical, credential, or regulated data unless you have clear controls around storage and export.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (21)

Tainted flow: 'request' from os.environ.get (line 280, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
},
            method="POST",
        )
        with urllib.request.urlopen(request, timeout=timeout) as response:
            if response.status >= 300 and debug:
                print(f"SuperMemory sync warning: HTTP {response.status}", file=sys.stderr)
    except urllib.error.HTTPError as exc:
Confidence
96% confidence
Finding
with urllib.request.urlopen(request, timeout=timeout) as response:

Tainted flow: 'req' from os.environ.get (line 427, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
timeout = float(os.environ.get("AGENT_BRAIN_EMBEDDING_TIMEOUT", "6"))
    req = urllib.request.Request(url, data=payload, headers=headers, method="POST")
    try:
        with urllib.request.urlopen(req, timeout=timeout) as resp:
            body = json.loads(resp.read().decode("utf-8"))
            if isinstance(body, dict) and isinstance(body.get("embedding"), list):
                vec = body["embedding"]
Confidence
94% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as resp:

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The implementation materially contradicts the local-first description by optionally mirroring stored memory to an external service. This mismatch is security-relevant because operators may trust the skill with sensitive data under the assumption it remains local, increasing the likelihood of unintended disclosure.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The hybrid retrieval description suggests local memory behavior, but semantic retrieval can call a remote embedding service and send both queries and stored content externally. That gap between stated function and actual data flow can cause unsafe deployment decisions and accidental privacy violations.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code supports posting text to any arbitrary embedding URL from environment configuration, which is broader than necessary for a memory skill and expands the trust boundary significantly. This enables exfiltration to attacker-controlled or accidental endpoints without additional safeguards.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The wrapper reads SUPERMEMORY_API_KEY from a local .env file automatically, which expands its behavior from simple command dispatch into implicit credential discovery. In an agent-skill context, this is risky because the skill may access cloud credentials without explicit user consent or visibility, enabling unintended external synchronization if downstream code uses the key.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill instructs activation on every user message, which causes memory retrieval and extraction logic to run broadly without meaningful scoping or exclusions. In a memory skill, universal triggering increases the chance of collecting sensitive data unintentionally and applying stale or private context to unrelated conversations.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly says it scans every message for storable information and does so silently, without warning or consent. That creates a privacy vulnerability because users may reveal preferences, identity details, work context, or other sensitive facts under the assumption they are transient, while the skill persistently records them.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The instruction to use retrieved memory silently hides the fact that persisted user data is influencing responses. This undermines transparency and can expose users to profiling or context carryover they did not expect, especially in mixed-sensitivity conversations.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to silently persist user facts, preferences, and procedures from every message and to never disclose that storage is occurring. This creates a privacy and consent failure: users may unknowingly have personal, workplace, and behavioral data retained across sessions, which can expose sensitive profile data or violate policy and regulatory expectations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill directs the agent to retrieve stored personal and project context before responding and to apply it silently without telling the user. This increases the risk of covert profiling, unexpected personalization, and inappropriate reuse of stale or sensitive context, especially where prior data was collected broadly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly permits storing inferred long-term tone preferences such as 'direct, no-nonsense responses' without requiring a clear user notice, consent step, or opt-out. Even if framed as a style preference rather than emotion, it still derives and persists behavioral profiling data, which can create privacy risk, surprise users, and influence future interactions in ways they did not knowingly authorize.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
User/system memory entries are uploaded to SuperMemory without any explicit user-facing warning or confirmation at the time of transfer. In the context of persistent memory, those entries can include highly sensitive personal or operational data, so silent sync materially increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Queries and memory entries may be sent to a remote embedding service without any user-visible notice, even though queries often contain the most sensitive current context. Because retrieval iterates over stored entries, this can expose a large fraction of the memory corpus to the remote service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script silently loads API credentials from ../.env or a configurable file path when the environment variable is unset, with no user-facing disclosure. In a local-first memory skill that advertises optional cloud mirroring, this reduces transparency and can cause users or calling agents to unknowingly activate privileged cloud-backed behavior.

Ssd 3

High
Confidence
99% confidence
Finding
The skill’s core design is to collect and persist habits, preferences, identity, and project context from every message without being asked. That is dangerous because it turns ordinary conversation into continuous surveillance and creates a durable store of potentially sensitive personal or organizational information.

Ssd 3

High
Confidence
99% confidence
Finding
The workflow mandates silent extraction and storage after each message, including conflict checking and adds, while explicitly telling the agent not to announce storage. Because this is an operational instruction rather than a vague aspiration, the risk is concrete: sensitive data can be persisted automatically and at scale without the user’s knowledge.

Ssd 3

Medium
Confidence
84% confidence
Finding
The natural-language interface includes broad export and memory disclosure actions, which can enable bulk exposure of accumulated user data if triggered by an unauthorized user, prompt injection, or shared-session misuse. While export is a legitimate maintenance feature, exposing it as a simple command increases the blast radius of any access control failure.

Ssd 3

High
Confidence
99% confidence
Finding
The file mandates extraction and storage of signals from every user message, including personal preferences and procedures, with silent persistence. Continuous collection from all messages materially raises the chance of overcollection, storing sensitive contextual details by accident, and retaining data beyond user expectations.

Ssd 3

High
Confidence
98% confidence
Finding
The guidance normalizes retaining a wide range of durable user attributes, including name, role, company, team, location, tech stack, workflow, and project constraints, even when inferred implicitly. In this skill context, that breadth makes the memory system more dangerous because it builds persistent user and organizational profiles from incidental conversation, increasing privacy, confidentiality, and enterprise data-handling risk.

Ssd 3

Medium
Confidence
91% confidence
Finding
The loop command automatically extracts facts and preferences from natural-language user messages into long-term memory, and those stored entries may then be forwarded to external services via sync or remote embedding. This creates a realistic leakage path where casual conversation is converted into durable and potentially exported personal data without meaningful friction.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal