ClawHub

Hypabase Memory

Security checks across malware telemetry and agentic risk

Overview

This is a coherent persistent-memory skill whose main risk is ordinary privacy exposure from saving and optionally embedding user/project memories.

Install this only if you want the agent to keep long-term memory. Avoid storing credentials, secrets, health, legal, financial, HR, or other highly sensitive information unless there is clear consent and need. Prefer local embeddings for private data, protect the SQLite database file, periodically review or expire memories with forget, and pin or verify the uvx package source if your environment requires tighter supply-chain control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill advertises a local persistent-memory capability, but its documented `openai` embedder option sends memory content to an external API. Because recalled/stored memories can include personal facts, preferences, and project details, this creates a real confidentiality and data-governance risk if users assume the skill is purely local. The danger is increased by the lack of an explicit warning at the point where the networked embedder is described.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The 'When to Remember' guidance is broad enough to encourage storing large amounts of user, team, and project information without clear minimization boundaries. In a persistent memory skill, overly permissive collection guidance can lead agents to retain sensitive or unnecessary data indefinitely, increasing privacy exposure and the blast radius of any later compromise or misuse.

Missing User Warnings

High
Confidence
97% confidence
Finding
The description emphasizes persistent memory but does not clearly warn users that their information may be stored across sessions. For a memory skill, lack of upfront disclosure undermines informed consent and can cause users or downstream agents to store personal or confidential information without realizing it will persist, making the context more dangerous than a non-storage utility skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation mentions the `openai` embedder and API-key requirement but does not explicitly warn that enabling it can transmit memory content over the network to a third party. Given this skill stores potentially sensitive memories, omission of that warning materially increases the chance of unintentional external disclosure by users who expect local processing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal