ClawHub
Back to skill

Security audit

Hermes Memory CN

Security checks across malware telemetry and agentic risk

Overview

This is a real local memory skill, but it broadly persists sensitive conversation details and can turn remembered patterns into skill draft files without strong user-control boundaries.

Install only if you deliberately want an always-available local memory database for your assistant. Before enabling it, decide which categories may be saved, avoid automatic retention of sensitive personal or financial details unless you explicitly approve them, review exported Markdown backups and cron jobs, and treat skill-evolution draft/promote commands as untrusted until you inspect the generated files and output paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documented interface includes a secondary capability that detects repeated patterns and generates/promotes new skills, which materially changes the trust boundary from 'store memory' to 'create or modify agent behaviors.' If enabled without strong controls, this can create persistent new artifacts or capabilities from conversation-derived content, increasing the chance of unsafe prompt/code propagation.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Drafting and promoting new skills is not necessary for providing long-term conversational memory, so including it under the same skill creates unnecessary privilege and functionality creep. That expanded scope makes accidental or socially engineered misuse more plausible because users may invoke a memory feature without realizing it can influence future agent capabilities.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The tool persistently classifies and stores stock/trading-related conversation content, but the manifest describes a general memory system rather than a finance-specific profiling feature. This mismatch can cause users to disclose sensitive financial behavior without informed consent, increasing privacy and trust risk in a skill that automatically stores conversation-derived data.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file implements a skill-evolution subsystem that detects repeated user activity patterns and turns them into candidate skills, which goes beyond the advertised long-term memory function. This expands the skill's effective authority from passive storage/recall into capability generation, increasing the risk of unreviewed persistence, privilege creep, and user surprise about what the software is doing with stored memories.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code writes Markdown skill drafts to a local directory using content derived from stored memories and an optional name argument, enabling transformation of sensitive memory content into executable/operational artifacts outside the memory database. In a memory assistant context, this is dangerous because private conversation data can be repackaged into reusable local files without a strong trust boundary, and untrusted content may flow into downstream skill ecosystems or be reviewed/published later.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The promote flow changes memory records into 'promoted' skills and prints guidance to publish them, bridging personal memory storage with a content publication pipeline. In the stated memory-assistant context, this makes the feature more dangerous because memories can silently transition from private recall material into distributable skill artifacts, creating risks of data leakage, unintended publication, and expansion of system behavior beyond user expectations.

Vague Triggers

High
Confidence
87% confidence
Finding
The trigger phrases are broad, everyday terms like '记忆' and '上次聊到', which can cause accidental activation during normal conversation. For a persistence skill, unintended activation is risky because it may store sensitive personal or financial information without the user's informed intent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The auto-write rules are ambiguous and rely on broad heuristics such as whether information might still be useful in one week. This vagueness is dangerous because it encourages over-collection and inconsistent retention of potentially sensitive conversation data, especially in categories like portfolio, preferences, and lessons learned.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill emphasizes convenience and local privacy but does not clearly warn users that it persistently stores potentially sensitive personal conversation data. That omission undermines informed consent and can lead users to disclose financial, personal, or strategic information without realizing it will be retained across sessions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file instructs the agent to automatically persist a wide range of user-derived information, including preferences, decisions, and implicit facts, after each reply, but provides no requirement for explicit user notice, consent, or retention controls. This creates a privacy risk because sensitive personal or behavioral data may be stored locally and reused later without the user understanding that long-term memory is active.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The cron workflow exports stored memory to Markdown backups without any warning that user-derived content is being copied into additional files. Exporting to human-readable backup locations increases the risk of accidental disclosure, broader local access, and unintended inclusion in sync, version control, or other tooling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The core function automatically writes persistent memories from raw conversation text based on broad keyword matching, with no explicit consent, preview, or confirmation step. In a memory skill, this is especially dangerous because users may unintentionally store sensitive preferences, corrections, or financial information locally and persistently without realizing it.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs ongoing retention and structuring of user-provided information from conversations, including financial and preference data. Persistent collection increases privacy and profiling risks, and the danger is heightened here because the write rules are automatic and broad rather than tightly consented.

Ssd 3

Medium
Confidence
86% confidence
Finding
Marketing the skill as remembering everything important the user says and recalling it later normalizes broad persistent surveillance of conversation content. In context, this is somewhat aligned with the skill's purpose, but it is still risky because the stored material may include highly sensitive personal, financial, or strategic data and the description does not sufficiently bound what should never be retained.

Ssd 3

Medium
Confidence
96% confidence
Finding
The integration instructions direct long-term storage of conversation details such as holdings, strategies, lessons, preferences, life changes, and implicit inferences. Because these categories can include sensitive financial and personal information, automatic retention materially increases privacy and profiling risk, especially when the system is designed to continuously capture new data after every response.

Ssd 3

Medium
Confidence
94% confidence
Finding
The cron process continuously mines daily logs for key information and exports memory to Markdown, expanding both the amount of captured user data and the number of places it resides. This ongoing extraction and duplication makes the system more dangerous because it normalizes persistent surveillance-style collection and increases the blast radius of any local compromise or accidental exposure.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill persistently stores user conversation content based on broad natural-language cues such as preferences and corrections, which can capture sensitive personal data far beyond what users intended to save. Because this is a long-term memory system, over-collection and retention materially increase privacy exposure and the chance of later misuse or unintended resurfacing of sensitive information.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.