ClawHub

Agent Memory Continuity

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent local memory-continuity tool, but users should understand it can store conversation context and optionally install a recurring cron sync.

Install only in workspaces where local conversation memory is acceptable. Review memory files periodically, avoid storing secrets or regulated personal data, inspect the crontab entry before enabling automated sync, and remove the cron job when you no longer want background memory updates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises and instructs execution of multiple shell scripts and cron-related commands, yet no explicit permissions or safety disclosures are declared. This increases the chance that users will run system-modifying actions without informed consent or sandboxing, which is a real security issue for installable agent skills.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The stated purpose is conversation continuity, but the described behavior includes modifying crontab, creating persistent local files, and archival/deletion behavior that materially changes the host environment. That mismatch is dangerous because users may consent to a benign 'memory' feature without realizing it installs persistence mechanisms and data-retention workflows that affect system state and potentially sensitive data.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script modifies the user's crontab to install a recurring background task, which is a persistent host-level change not clearly justified by a 'memory continuity' skill description. Even if intended for convenience, persistence on the host can surprise users, outlive the session, and create a foothold for repeated execution of whatever `scripts/sync-memory.sh` does later.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
A memory continuity skill generally does not need undisclosed host-level cron persistence; adding it expands privileges and persistence beyond the stated purpose. This becomes more dangerous because the scheduled job executes a workspace-controlled script repeatedly, enabling ongoing code execution after the initial run.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script unconditionally deletes memory files older than 30 days, which conflicts with the skill's stated goal of preserving agent memory and continuity. In a memory-management skill, silent deletion can cause irreversible loss of context, break auditability, and undermine user expectations about retention.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill promotes creating and synchronizing persistent memory files for prior conversations without warning that those files may contain sensitive prompts, decisions, credentials, or personal data. Persisting such data on disk and syncing it automatically expands the attack surface and can create privacy, compliance, and data-leak risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installation and quick-start instructions tell users to run shell scripts that initialize files and schedule cron jobs, but they do not clearly warn about these persistent system changes. Hidden or under-disclosed system modification is risky because users may execute commands with greater trust than warranted and without reviewing their effects.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The configured red-flag phrases are broad, common conversational expressions that can easily appear in normal user messages without actually indicating a continuity failure. In a memory-continuity skill, this can trigger unnecessary memory searches or recalls, increasing the chance of pulling in unrelated prior context, over-collecting user data, or confusing the agent with irrelevant history.

Vague Triggers

Medium
Confidence
93% confidence
Finding
These patterns are broad topic phrases such as 'ongoing tasks' and 'current work' that are likely to appear in ordinary conversation, so they can trigger memory searches without clear user intent. In a memory-continuity skill, unintended activation can expose stale or unrelated prior context, increasing privacy leakage and context poisoning risk.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Decision-related phrases like 'decisions made' and 'plans decided' are generic summaries of normal discussion and do not reliably indicate a request to search stored memory. This can cause retrieval on incidental mentions, surfacing prior decisions out of context or polluting the current interaction with irrelevant historical data.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Patterns such as 'user preferences', 'important context', and 'past conversations' are especially sensitive because they map to personal data and broad historical context while remaining highly ambiguous. In a skill designed to preserve continuity, accidental matches can retrieve private preference data or unrelated conversation history, making the context materially more dangerous than in a generic search feature.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Meeting, technical, and business phrases like 'meeting notes', 'implementation details', and 'market analysis' are broad noun phrases without trigger boundaries, so normal topical conversation may invoke search behavior. Because these domains often contain confidential internal material, accidental retrieval can disclose sensitive project, architectural, or business information beyond what is needed for the current turn.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script changes the user's crontab without an explicit warning or confirmation, so users may not realize they are enabling persistent scheduled execution on their machine. Silent persistence reduces transparency and makes it harder for users to assess risk, especially when the scheduled task runs code from the current workspace.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The cleanup behavior occurs without any user-facing warning, prompt, or visible retention notice, so users may be unaware that historical memory is being removed. Because this skill is specifically marketed as preserving context, the undisclosed deletion behavior is more dangerous than it would be in a generic log-rotation utility.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The protocol instructs the agent to automatically search and log memory files for all significant conversations, but it provides no requirement to notify the user, obtain consent, or limit what data is retained. This creates a privacy and data-governance risk because sensitive user information may be persistently accessed and stored across sessions without clear user awareness or controls.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The template explicitly instructs the agent to record user preferences, behavior patterns, technical details, and searchable keywords across sessions, but provides no guardrails for excluding sensitive personal data, minimizing retention, or obtaining user consent. In a memory-continuity skill, this materially increases the chance of over-collection and persistent storage of sensitive information that could later be surfaced, searched, or misused.

Session Persistence

Medium
Category
Rogue Agent
Content
**Cron jobs not running:**
```bash
# Check cron status
crontab -l | grep memory

# Reinstall cron jobs
bash scripts/activate-memory-sync.sh --force
Confidence
84% confidence
Finding
crontab -l

Session Persistence

Medium
Category
Rogue Agent
Content
CRON_JOB="0 */6 * * * cd $WORKSPACE && bash scripts/sync-memory.sh >> .memory-sync-log 2>&1"

# Check if cron job already exists
if crontab -l 2>/dev/null | grep -q "sync-memory.sh"; then
    echo "✅ Memory sync cron job already active"
else
    # Add to crontab
Confidence
95% confidence
Finding
crontab -l

Session Persistence

Medium
Category
Rogue Agent
Content
if crontab -l 2>/dev/null | grep -q "sync-memory.sh"; then
    echo "✅ Memory sync cron job already active"
else
    # Add to crontab
    (crontab -l 2>/dev/null; echo "$CRON_JOB") | crontab - 2>/dev/null || true
    echo "✅ Memory sync cron job activated (every 6 hours)"
fi
Confidence
98% confidence
Finding
crontab (crontab -l 2>/

Session Persistence

Medium
Category
Rogue Agent
Content
echo "✅ Memory sync cron job already active"
else
    # Add to crontab
    (crontab -l 2>/dev/null; echo "$CRON_JOB") | crontab - 2>/dev/null || true
    echo "✅ Memory sync cron job activated (every 6 hours)"
fi
Confidence
94% confidence
Finding
crontab - 2>/

Session Persistence

Medium
Category
Rogue Agent
Content
exit 0
fi

# Add cron job for memory sync (every 6 hours)
CRON_JOB="0 */6 * * * cd $WORKSPACE && bash scripts/sync-memory.sh >> .memory-sync-log 2>&1"

# Check if cron job already exists
Confidence
93% confidence
Finding
Add cron job for

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal