ClawHub

hippocampus

Security checks across malware telemetry and agentic risk

Overview

This is a local memory skill that saves and reuses conversation context; its privacy risks are real but disclosed and aligned with its purpose.

Install only if you want durable local memory. Before enabling cron jobs, review USER_CONFIG.md and consider disabling AUTO_SAVE, PROACTIVE_TRIGGERS_ENABLED, and READINGBETWEENTHELINES_ENABLED or narrowing the trigger words. Avoid saving secrets, credentials, personal data, or confidential project details, and periodically inspect or delete assets/hippocampus memory files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill can modify a workspace-level `MEMORY.md` file outside its own storage area, which expands its write scope beyond a self-contained memory subsystem. In an agent environment, this can alter shared context or future agent behavior, creating integrity risks and a covert persistence channel even though the write is gated behind a confirmation flow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly documents automatic saving of session content and automated analysis, but does not pair these features with meaningful privacy notice, consent, retention limits, or guidance on sensitive-data handling. In a memory skill, this creates a real risk of collecting and persisting confidential user conversations beyond what users expect, increasing exposure if the stored data is later accessed, indexed, or reused.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The 'ReadingBetweenTheLines' feature describes proactive reading of recent user messages, tokenization, counting, and automatic memory loading based on conversation patterns without a prominent warning that ongoing monitoring is occurring. That behavior materially changes the privacy posture of the skill because it analyzes user content continuously and can infer topics or patterns the user did not explicitly ask to store or process.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill allows broad natural-language phrases like "deploy" or "send report" to expand into multi-step workflows automatically. Because these triggers are ordinary conversational terms, they may activate unexpectedly from normal dialogue and cause unintended high-impact actions to be suggested or executed by the hosting agent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The proactive trigger system uses generic keywords such as "database" and "api" to automatically load memories into context. This can be triggered accidentally by routine conversation, causing irrelevant or sensitive stored information to be injected into responses, increasing the risk of context poisoning or unintended disclosure.

Vague Triggers

High
Confidence
96% confidence
Finding
ReadingBetweenTheLines performs autonomous scanning of recent user messages and loads memories based on ambiguous repetition thresholds and keyword matches. This creates a stronger vulnerability than simple keyword triggers because it silently infers intent from conversation patterns, making accidental activation, adversarial prompt shaping, and unauthorized context injection much more likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation describes automatic scanning of user messages and prepending of stored memory to context, but it does not provide strong warnings about privacy, consent, or the consequences of automatic recall. Users may not realize their messages are being analyzed for triggers and reused later, which can lead to unexpected exposure of prior content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
`auto_save_from_context` can persist arbitrary session/context content to disk automatically without an explicit runtime disclosure or consent check. In practice this can store sensitive prompts, secrets, or user data into long-lived files and indexes, increasing the risk of unintended retention and later exposure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
`_cmd_autocheck` can collect recent content or conversation history and write it to Chronicle/Monograph automatically when thresholds are met, again without an explicit warning at the moment of persistence. This creates a meaningful privacy risk because users may not realize that recent dialogue is being retained across sessions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list contains common words such as 'remember', 'recall', 'warn', and 'learn' that are likely to appear in ordinary conversation. In an instruction-first skill with session lifecycle hooks, broad triggers can cause unintended activation, leading the skill to read, write, or act on context when the user did not explicitly intend to invoke it.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The manifest requests both write and exec permissions, which materially increase risk because the skill can modify files and run local commands. In this file, those permissions are paired with sparse user-facing disclosure and an instruction-first, code-on-demand runtime, making accidental or opaque system-impacting behavior more dangerous.

Ssd 3

Medium
Confidence
91% confidence
Finding
Persistent auto-saving of session content creates a natural-language data retention risk because conversational data may include credentials, personal data, internal project details, or other sensitive context. In this skill's context, the feature is core functionality, which makes the risk more credible rather than theoretical because users are being instructed to enable recurring collection and storage.

Ssd 3

Medium
Confidence
94% confidence
Finding
The proactive monitoring and trigger system semantically encourages automated scanning of recent user messages and loading related memories, which can surface previously stored sensitive information in response to ordinary conversation patterns. This increases the chance of over-collection and inadvertent disclosure, especially in an agent skill that maintains long-lived memory across sessions.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill explicitly retains prior message content and reuses it in future responses without clear limits on scope, sensitivity, retention duration, or access controls. In a memory-oriented skill, this materially increases the chance of cross-session leakage, resurfacing secrets, and exposing sensitive context in situations where the user did not intend reuse.

Ssd 3

High
Confidence
97% confidence
Finding
The skill persistently stores session content and includes features to reload stored monograph content into future responses based on triggers. That combination creates a durable cross-session data-retention and replay channel that can surface sensitive information later, especially in shared or multi-user agent contexts.

Ssd 3

Medium
Confidence
85% confidence
Finding
ReadingBetweenTheLines analyzes user message words and can automatically load stored monograph content into responses when triggers match. Even though the persistence implementation is incomplete, this still creates implicit profiling and context injection behavior that may reveal previously stored information without a sufficiently explicit user action.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal