ClawHub

Deep Memory

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local memory skill, but it should be reviewed because setup automatically installs or starts persistent unauthenticated local database services that can store sensitive agent memories.

Install only if you intentionally want a persistent local memory stack for agents. Before running setup.py, review the script, consider enabling Neo4j authentication, restrict Qdrant and Neo4j to localhost or a firewall, avoid storing secrets or highly sensitive personal data, and know how to stop the containers and remove their Docker volumes when you no longer want the memory store.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
'''

def run(cmd, capture=True, check=True):
    result = subprocess.run(cmd, shell=True, capture_output=capture, text=True)
    if check and result.returncode != 0:
        return None, result.stderr
    return result.stdout.strip() if capture else None, None
Confidence
94% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=capture, text=True)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script creates files under the user's home directory, writes a docker-compose file and a Python client, creates persistent memory directories, and starts local services, all without explicit consent or a dry-run/confirmation step. In an agent-skill context, this is risky because users may trigger broad system and persistence changes with a single action they do not fully understand.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The setup flow automatically installs software and launches Docker containers without a clear safety warning or permission gate. In a one-click skill this is more dangerous than in a traditional admin script because execution may happen in a semi-automated context where the user does not expect package installation and service startup side effects.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The generated client transmits user queries and stored content over HTTP to local services (Ollama, Qdrant, Neo4j) without any disclosure in the interface or code comments aimed at users. Although traffic is localhost-only, the content may be sensitive memory data, and the lack of transparency and authentication increases privacy and data exposure risk in multi-user or compromised local environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal