ClawHub

AgentRecall

Security checks across malware telemetry and agentic risk

Overview

AgentRecall is a legitimate local memory tool, but its artifacts include broader transcript scanning, Claude memory/hook integration, shell-driven workflows, and deletion behavior that exceed the narrow local-only description.

Install only if you want a durable local memory layer and are comfortable with agent-readable long-term notes. Start with the default MCP server, avoid enabling hooks, /arsaveall, or sync-memory until you understand their access to Claude prompts/transcripts, do not store secrets, periodically inspect or purge ~/.agent-recall, and pin package versions where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (128)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill documentation materially understates behavior and scope: it advertises a tightly scoped local memory tool with 6 MCP tools and writes only under `~/.agent-recall/`, while the finding indicates additional tools, transcript ingestion from `~/.claude/projects`, sync into other directories, and broader storage/SDK features. That mismatch is dangerous because users and host agents may grant trust and permissions based on the declared model, while the actual implementation appears to access more data and perform more actions than disclosed.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This plan extends the skill from local markdown memory management into generating and writing a separate Claude-loaded memory artifact under ~/.claude, which broadens the trust boundary and creates a second persistence channel outside the stated storage model. Because the file is intended to be auto-loaded into future sessions, any sensitive or incorrect content accumulated by the skill can be silently propagated across sessions without explicit user review.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The plan proposes modifying ~/.claude/settings.json to install a PostToolUse hook, which changes external agent behavior beyond the scope of a memory skill. Altering another tool's configuration can create persistent side effects, surprise execution paths, and a mechanism for future automatic actions without informed user consent.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
Capturing agent actions, tool calls, file edits, and transcript-derived context materially increases the sensitivity of stored memory data compared with simple user corrections. This creates a richer behavioral log that may expose secrets, file contents, or operational details in later recalls, especially when stored automatically and reused across sessions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The review brief explicitly instructs a reviewer to inspect `~/Projects/AgentRecall/`, `~/.agent-recall/`, and `~/.claude/commands/arsave.md`, which expands access beyond the skill file itself into broader local code and user-home data. In an agent setting, this can induce unnecessary collection or exposure of unrelated local information and violates least-privilege expectations for a markdown-only memory skill.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The command explicitly instructs the agent to push session data to GitHub if configured, which contradicts the skill's stated 'local markdown only, zero cloud' behavior. That mismatch is security-relevant because users may disclose sensitive project memory under a local-only assumption, while the command introduces external data exfiltration risk.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The documentation claims a single session_end call performs the save flow, but the command also performs direct shell writes to identity.md outside that tool boundary. This hidden side effect weakens auditability and can cause data to be persisted in places users and calling systems do not expect.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The command instructs use of shell commands such as grep, mkdir, echo, mv, ls, and git operations that exceed the stated memory-tool scope. Expanding behavior into arbitrary shell access increases the blast radius from simple memory persistence to filesystem manipulation and repository inspection, including accidental exposure of unrelated local data.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The command materially exceeds a narrow 'local markdown only' memory expectation by instructing collection and processing of all Claude Code transcript JSONL files under ~/.claude/projects. Even if all data stays local, this is still broad cross-session data access that can ingest unrelated or sensitive content without clear per-project consent.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This command performs bulk transcript harvesting and persistence across unrelated sessions, which creates a confidentiality risk beyond the current invocation's expected scope. The danger is increased because it synthesizes summaries and writes durable memory for projects the user may not have intended to merge, potentially cross-contaminating contexts and exposing sensitive material.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The skill delegates sensitive transcript discovery and save operations to an external Node CLI outside the declared MCP tool surface. That introduces an execution and trust-boundary expansion: the agent is being instructed to invoke code whose behavior is not constrained by the skill's stated six tools, making reviewability and least-privilege enforcement weaker.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The command is presented as a status/launch board but also embeds a destructive deletion workflow, which violates the principle of least surprise. Mixing read-only discovery with destructive state changes increases the chance an agent or user triggers data loss in a context where they expected only inspection.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The file claims 'No MCP calls needed' and describes the command as a pure filesystem read, but elsewhere instructs the agent to invoke `session_start` and `rm -rf`. This inconsistency is dangerous because it can cause operators or higher-level orchestrators to trust the command as non-mutating when it actually performs persistence loading and destructive deletion.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The document materially expands the described capability surface from the advertised 6 tools to a 21-tool MCP server, including additional memory, alignment, architecture, and knowledge functions. This creates a trust and review gap: operators may approve or install the skill believing it has a narrower capability set than what the documentation actually encourages, increasing the chance of over-privileged deployment or unsafe integration.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The protocol introduces an 'Optional: git push' step despite the skill being described as local-only with zero cloud/telemetry. Even if optional, pushing journals, awareness files, or palace content to a remote repository can exfiltrate sensitive conversation-derived memory and violates the user's likely security expectations.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The design explicitly adds an AI-assisted save path via external API, which conflicts with the skill's stated 'Local markdown only. Zero cloud, zero telemetry' scope. That mismatch is security-relevant because users may rely on the privacy promise and unknowingly route journal contents, which can include sensitive project notes, to a third-party provider.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This section documents provider, model, and API-key-based remote processing for journal generation, directly contradicting the zero-cloud claim. Because journals often contain development context, decisions, blockers, and potentially secrets, sending raw session logs to an external model can create confidentiality and compliance exposure.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill advertises 'local markdown only' and 'zero telemetry', but the sync-memory command copies AgentRecall data into Claude's separate auto-memory directory. Even if still local, this expands the data boundary into another tool's persistence layer and can expose memory contents to consumers the user did not expect from the skill's description.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The sessions/saveall commands read external Claude Code session transcripts and synthesize them into AgentRecall storage, which is broader access than the six-tool memory description suggests. This can ingest sensitive conversation history from unrelated workspaces or projects and persist it under inferred project names without clear user awareness at the moment of collection.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
When fix mode is enabled, the lint routine stops being read-only and copies room files to an archive directory before deleting the original room directory with fs.rmSync(..., { recursive: true }). That makes a maintenance/checking command capable of destructive filesystem changes, which is risky because operator error, unexpected salience calculations, or malformed room metadata can cause unintended data loss or silent movement of user memory content.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code builds a filesystem path from the user-controlled topic value and reads the resulting file if it exists. Because there is no validation or canonicalization of input.topic, an attacker can supply traversal sequences such as '../' to escape the intended room scope and read arbitrary markdown files reachable from the palace directory, which exceeds the tool's stated memory-recall purpose and can expose sensitive local notes or metadata.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The code registers a seventh MCP tool, `journal_archive`, despite the skill metadata explicitly claiming a 6-tool interface. This discrepancy can mislead users, reviewers, and policy controls about the skill’s actual capabilities, especially because the added tool performs state-changing archival on persistent memory data.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code registers a seventh MCP tool, `journal_state`, which provides structured read/write access to persistent session state, while the skill metadata claims only 6 tools. This undocumented capability expands the skill’s effective attack surface and can mislead users, reviewers, and policy controls that rely on the declared manifest, especially because it supports writes to persistent state and agent-to-agent handoffs.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file registers a `journal_write` MCP tool that provides persistent write access, but the supplied skill metadata describes a different 6-tool set and does not mention this capability. Undisclosed write-capable tools expand the agent’s authority beyond what users and reviewers expect, undermining consent and making it easier to hide persistence or tampering behavior in local memory files.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This file registers an MCP tool named "nudge" even though the skill metadata states there are exactly 6 tools and does not list this one. Undeclared capabilities are dangerous because they bypass user and platform expectations, reduce auditability, and can expose functionality that was not reviewed or consented to, even if the tool itself appears local and low-risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal