ClawHub

Duru Memory

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local Markdown memory tool, but it needs Review because some helpers can modify files outside the intended memory area and memory contents can be sent to a configurable model endpoint.

Review or patch the helper scripts before installation so writes and tagging are limited to workspace/memory and Markdown memory files. Keep Ollama configured to localhost unless you intentionally want remote model processing, avoid storing secrets or credentials in memory files, and periodically review or delete the Markdown memory and semantic index when sensitive context should no longer persist.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises substantial capabilities—file read/write, shell execution, environment access, and network use via local services—without any declared permissions or explicit capability boundaries. That mismatch can cause the skill to be invoked in contexts that assume it is low-risk, while it can actually modify memory files, run maintenance scripts, contact local model endpoints, and perform git actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose presents the skill as a Markdown memory maintenance helper, but the content also describes higher-risk behaviors including semantic indexing, model-driven tagging/review, automatic forgetting/archiving, and git commits. This description-behavior gap is dangerous because operators may authorize or trust the skill for simple note maintenance while it performs autonomous processing and persistence actions with broader integrity and confidentiality implications.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script sends up to 1400 characters of Markdown memory content to an HTTP service for model tagging, which contradicts the stated local-memory expectation and can expose sensitive notes, handoffs, or project data outside the file system boundary users may assume. Even when the default endpoint is localhost, the URL is configurable, HTTP is unauthenticated, and a local or redirected service can receive confidential memory contents without clear disclosure.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The --files option accepts arbitrary existing .md paths and resolves relative inputs against the workspace, but it does not enforce that selected files remain under the memory directory. As a result, a user, wrapper, or higher-level agent can cause this tool to process and rewrite unrelated Markdown files elsewhere in the workspace or on the system.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
Because the script writes updated frontmatter back to every selected file, the unrestricted --files behavior allows in-place modification of arbitrary Markdown files rather than only declared memory records. In an agent skill context, this is more dangerous because automation may invoke the tool non-interactively and silently alter documentation, notes, or other Markdown assets outside the intended memory store.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The activation language is broad and permissive, encouraging use whenever building or operating local Markdown memory files or related workflows, without clear exclusions or safety gates. In context, that increases the chance the skill is invoked routinely and gains access to sensitive local memory operations, including scripts that can rewrite, summarize, archive, or transmit content to local model services.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script rewrites Markdown files in place without interactive confirmation, backup, or a prominent warning, creating a risk of silent data loss or unintended metadata injection. In this skill's context, where memory files may contain durable operational context, silent mutation is especially risky because users may trust the memory store as an authoritative record.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends aggregated memory log contents to an HTTP service endpoint via urllib without any explicit consent prompt, warning, or data-classification guard. Even though the default endpoint is localhost, the URL is configurable, so sensitive notes, commitments, blockers, or other memory content could be exfiltrated to a remote model server or intercepted if plain HTTP is used beyond loopback.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This script sends the user's query and, during indexing, the contents of local Markdown memory files to the configured Ollama embedding endpoint via HTTP without any user-facing notice, consent prompt, or trust boundary validation. Even though the default endpoint is localhost, the base URL is configurable, so sensitive memory data could be transmitted to a remote or less-trusted service and exposed through network interception, server logging, or unintended third-party processing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This script writes or appends attacker-controlled content to an attacker-controlled path with no validation that the destination remains inside the intended workspace or is limited to approved memory files. In an agent setting, if untrusted input can influence TARGET or CONTENT_FILE, this can overwrite shell configs, scripts, prompts, or other operational files, and the immediate tagging step may further process the modified file automatically.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal