ClawHub

Agent Long-Term Memory

Security checks across malware telemetry and agentic risk

Overview

This memory skill is mostly coherent, but it encourages persistent cross-project profiling and can send conversation text to OpenAI when an API key is present, so it needs user review before use.

Install only if you want a cross-project memory layer. Avoid using it with confidential, regulated, or personal data unless you configure a per-project data_dir, review/delete stored memory regularly, and intentionally choose whether OPENAI_API_KEY may be used for remote extraction or embeddings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (19)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill explicitly documents that `auto_remember(conversation_text)` may use OpenAI for entity extraction when an API key is configured. That creates a real data-flow risk because conversation content and extracted user facts could be sent to a third-party service without an explicit, prominent consent warning at the point of use. In a memory skill, this is especially sensitive because the transmitted content is likely to contain personal profile data accumulated across sessions.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The memory wrapper conditionally initializes an OpenAI client from an environment variable and uses it for embeddings, which introduces networked data flow into a component presented as local memory infrastructure. Even if the API key is not exfiltrated directly, the presence of remote model calls means user content may be transmitted off-host without clear consent or necessity for a memory primitive.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The auto-extraction path sends raw conversation text to a chat completion endpoint to extract facts, which can disclose sensitive memory content, PII, secrets, or internal project data to a third party. In a memory subsystem, this is especially risky because users reasonably expect storage and retrieval, not outbound transmission of their conversation history.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The docstring describes the component as a unified memory wrapper and compatibility layer, but omits that it may perform remote model inference and transmit user content externally. This mismatch can cause developers and users to trust the component with sensitive data under a false assumption that it is purely local storage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly states that conversation-derived memory is stored under ~/.codex/agent_memory and shared across all projects, but it does not present a clear privacy warning, consent model, or scope boundary. In an agent skill context, this can cause users' personal or sensitive data from one task or repository to be retained and later surfaced in unrelated contexts, creating a real confidentiality and data-minimization risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that memory is stored persistently under `~/.codex/agent_memory/` and shared across all projects, but it does not present this as a privacy/security warning. Users may reasonably assume project-local behavior and not realize that personal facts and conversation-derived data will persist and be reused in unrelated contexts. This creates a real confidentiality and consent risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation notes that OpenAI-backed extraction is used if an API key is present, but it does not clearly warn that conversation content may be transmitted externally. Because this feature is tied to automatic memory extraction, users may unknowingly send sensitive conversation data to a remote provider. The combination of persistence plus remote processing makes the omission materially risky.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example initializes persistent storage in /tmp and then stores identifiable personal and preference data such as a boss's communication style, timezone, and interests. Even though this is sample code, it normalizes writing potentially sensitive information to disk without any notice, consent guidance, retention limits, or protection expectations, which can lead users to replicate insecure handling of personal data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The worker sends the full user/assistant turn to an LLM for entity extraction and summarization in the background, which can expose sensitive conversation content to another processor or service without any consent, minimization, or visibility at this layer. Even if intended for memory features, silent transmission of complete conversations increases privacy and data-handling risk, especially when the LLM is external.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These lines send text to an external embeddings API without any user-facing warning, consent flow, or inline disclosure. Silent transmission of potentially sensitive conversation or memory content is a privacy and compliance risk, especially in a persistence component handling user data.

Missing User Warnings

High
Confidence
99% confidence
Finding
Automatic fact extraction transmits conversation content to an external chat API without explicit disclosure in this file, creating a high risk of unintended leakage of personal or confidential information. Because the feature is automatic and tied to memory extraction, users may be unaware that sensitive passages are leaving the system.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The default data directory stores memory under a shared path in the user's home directory across all projects, which can cause cross-project data mixing and persistence beyond the user's expectations. In a memory skill, that increases the chance that unrelated project context, sensitive facts, or past conversations are retained and later surfaced unexpectedly.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill advertises cross-project shared memory as a feature, including retention of user facts and conversation-derived data across contexts. For an agent memory component, that materially increases the chance of inappropriate resurfacing of personal data, secrets, or context from one project into another, especially when the same agent is used for mixed personal and development tasks.

Ssd 3

Medium
Confidence
94% confidence
Finding
The examples show storing personal profile attributes such as name and fear, then injecting those details into future system prompts via build_system_extension. This creates a prompt-level data propagation path where personal information can be automatically reintroduced into future model context, increasing exposure and the chance of unintended disclosure or overcollection.

Ssd 3

Medium
Confidence
88% confidence
Finding
The README states that short-term memory keeps the last N rounds verbatim, which raises the risk that secrets, credentials, or sensitive user text are retained and later reproduced exactly. In a conversational agent skill, verbatim retention is more dangerous than summarized retention because it preserves high-fidelity sensitive content that may be reinserted into prompts or outputs.

Ssd 3

Medium
Confidence
91% confidence
Finding
The skill is designed to persist and reuse user memory across sessions and projects, including user profiles and episodic memory. That cross-project scope increases the blast radius of any sensitive data captured, making accidental over-collection, context leakage, and unintended reuse materially more likely. While this is the product’s intended functionality, it is still a genuine privacy/security concern in this context.

Ssd 3

High
Confidence
97% confidence
Finding
The standard integration flow instructs implementers to inject `mem.get_profile()` into the system prompt, log every conversation turn, and archive full conversations. This directly encourages broad collection and repeated propagation of user data into prompts, which increases the chance of oversharing sensitive information, prompt-context leakage, and cross-session/cross-project disclosure. In a memory skill, these defaults make the dangerous behavior operational rather than merely theoretical.

Ssd 3

Medium
Confidence
93% confidence
Finding
The file-level design explicitly states that every user message is processed to extract structured facts, generate embeddings, and clean up memories, creating persistent storage of user-derived data by default. This is dangerous because it normalizes broad retention of potentially sensitive personal information across all conversations, increasing harm from misuse, over-collection, or later compromise of the memory store.

Ssd 3

High
Confidence
97% confidence
Finding
The extraction prompt directly instructs the model to harvest sensitive personal attributes including fears, relationships, important dates, and goals from user conversations. That makes the system more dangerous than generic summarization because it operationalizes profiling and persistent storage of intimate user data, which may be unexpected and disproportionate to normal assistant behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal