ClawHub

Fulcra Memory

Security checks across malware telemetry and agentic risk

Overview

This skill is not visibly malicious, but it gives agents broad power to upload, restore, clone, and overwrite memory or identity state without enough consent and privacy guardrails.

Review carefully before installing. Use only with a trusted Fulcra account and agents whose memory you are allowed to access, and require explicit user approval before any backup, restore, clone, artifact upload, or inbox deletion. Do not store secrets or private user data in memory files, and inspect restored or cloned archives before extracting them into a live workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill's stated purpose is memory backup, restoration, rollback, and cloning, but this reference also authorizes artifact uploads and team messaging operations. Expanding operational scope increases the chance an agent will perform unintended file-transfer or deletion actions outside the user's expected memory-management workflow, which can lead to unauthorized data movement or destructive coordination actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs agents to back up evolving memory, including files like MEMORY.md, IDENTITY.md, SOUL.md, logs, and a user-visible top_of_mind.md, without any explicit privacy, minimization, or consent safeguards. That creates a real risk of uploading sensitive internal state, user data, secrets, or chain-of-thought-like status content into persistent versioned storage where it may be retained and later exposed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The cloning and shared-memory sections explicitly normalize cross-agent data transfer by allowing one agent to download another agent's memory archive and by using shared team paths for message exchange, but they provide no warning about authorization, data ownership, or confidentiality boundaries. In context, this is more dangerous because the skill is specifically about durable memory/state management, so misuse could duplicate another agent's memories, identity, and potentially sensitive user context across principals.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The restore procedure extracts an archive directly into the workspace and explicitly overwrites core identity and memory files, but it does not require an explicit user confirmation immediately before the destructive step. This creates a real risk of accidental rollback, loss of current state, or restoration of unsafe content without informed consent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The clone workflow downloads another agent's memory archive and extracts it locally, overwriting the current agent's identity and memory without an explicit confirmation requirement. This can effectively replace the agent's operating context and instructions, causing identity confusion, loss of local state, or introduction of untrusted content from another namespace.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The inbox-processing flow instructs the agent to delete messages from the inbox after archiving them, but provides no user warning, retention policy, or verification that archival succeeded. That can cause unintended loss of task history, evidentiary records, or coordination messages if the upload/archive step fails or is performed prematurely.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill tells the agent to write a plain-language top_of_mind.md describing current tasks, context, and what it is thinking about, then upload it to versioned storage for user visibility. This is dangerous because it encourages systematic disclosure of internal state and potentially sensitive reasoning/context into durable, user-visible storage, increasing privacy and prompt-leakage risk.

Ssd 3

High
Confidence
98% confidence
Finding
The cloning guidance explicitly states that an agent can clone another agent's memories and identity by downloading that agent's memory archive from shared storage. This is a direct cross-identity replication mechanism that can transfer sensitive context, credentials, behavioral instructions, or private user data between agents without any stated authorization guardrails.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal