ClawHub

Agent Memory Cleanup

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed memory-cleanup utility that can read and edit memory files, but its high-impact behavior is purpose-aligned and gated by documented user approval and backups.

Install only if you want an agent to inspect long-term memory files for cleanup. Review proposed diffs before approving apply mode, keep the generated backups until satisfied, and avoid running output/write options against unrelated paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no required permissions in metadata, yet its instructions explicitly invoke Python scripts that read and write memory files and use shell execution. This mismatch can bypass user and platform expectations about what the skill is allowed to do, increasing the risk of unintended file modification or command execution if the skill is auto-invoked.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README explicitly authorizes proactive invocation without the user naming the skill and recommends automatic auditing when memory pressure is detected. In a skill that reads and potentially modifies long-term memory files, broad trigger conditions increase the chance of analyzing or acting on sensitive user data without clear, contemporaneous consent, which can lead to privacy violations or unintended edits.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation description is broad and includes proactive triggering on vague conditions like memory pollution, degraded quality, or when cleanup is merely 'useful,' which could cause the skill to run in situations the user did not clearly request. In context, this is more dangerous because the skill can progress from audit to proposing and eventually applying file changes, so accidental invocation could lead to unnecessary access to sensitive memory files or pressure for edits.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The --write-proposed option writes generated content to any path supplied on the command line with no path restriction, safety check, or confirmation. In an agent setting, if an upstream component or prompt can influence that argument, this can overwrite arbitrary files in the workspace or user-accessible locations and turn a report-generation feature into an unintended file-write primitive.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
In apply-approved mode the tool automatically overwrites each audited file after making a backup, based solely on the mode flag. Although backups reduce irrecoverability, this is still a destructive write path that can modify sensitive memory files at scale; in an agent workflow, mistaken authorization, prompt confusion, or unsafe automation could silently alter user state.

Missing User Warnings

High
Confidence
99% confidence
Finding
The memory file contains a plaintext password-like secret, which creates an immediate risk of credential disclosure to any agent, tool, or person that can read the file. In the context of a memory-cleanup skill, this is especially dangerous because the skill is designed to ingest, process, and potentially copy or back up memory contents, increasing the chance that the secret is propagated or exposed further.

Ssd 3

High
Confidence
100% confidence
Finding
The line explicitly stores a staging password in plain language, making this a direct credential-handling vulnerability rather than a contextual note. Because this skill targets long-term memory maintenance across agent ecosystems, the secret may be retained, duplicated in backups, surfaced in summaries, or leaked through future prompts and tooling integrations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal