ClawHub

HipoolMemorySystem

Security checks across malware telemetry and agentic risk

Overview

The core memory engine matches its purpose, but the package includes under-disclosed benchmark/test behaviors that can start a Redis daemon, delete temporary directories, and persist agent memory data in plaintext.

Install only if you are comfortable with a local plaintext memory database. Avoid storing secrets or personal data unless the storage directory is protected, backed up, and has a retention plan. Do not run the benchmark scripts on a shared or important machine without reviewing them first, because they delete /tmp benchmark paths and one can start a Redis daemon.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (25)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
result = subprocess.run(["redis-cli", "ping"], capture_output=True, text=True)
    if result.returncode != 0 or result.stdout.strip() != "PONG":
        print("  Redis not running. Starting...")
        subprocess.run(["redis-server", "--daemonize", "yes"], capture_output=True)
        time.sleep(1)
    
    for val_size in VAL_SIZES:
Confidence
85% confidence
Finding
subprocess.run(["redis-server", "--daemonize", "yes"], capture_output=True)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The benchmark invokes `system("rm -rf /tmp/bench_hipool")` before and after execution, which gives the program filesystem-destructive capability unrelated to its core benchmarking logic. Even though the path is hardcoded and appears intended as cleanup, use of shell-based recursive deletion is dangerous because mistakes, path manipulation, or future code changes could delete unintended data.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module docstring describes only LMDB, hipool, and SQLite benchmarking, but the code also benchmarks Redis and may start a Redis server. This mismatch is security-relevant because it conceals behavior that alters system state and can mislead a reviewer or user into executing the script without realizing it may launch services.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The helper constructs a benchmark-specific path but then unconditionally executes `rm -rf /tmp/bm_*`, which deletes all matching benchmark directories under `/tmp`, not just the directory for the current run. This is dangerous because it performs broad destructive cleanup through the shell and can remove unrelated data from other runs, users, or processes on the same host.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code updates in-memory state first and only appends the WAL record afterward, despite claiming the opposite. If the process crashes after mutation but before WAL append, the change is lost from durable recovery state, breaking crash consistency and potentially causing silent data loss or replay divergence after restart.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
Deletion is applied to memory before the delete record is appended to the WAL, so a crash in between can resurrect supposedly deleted entries on replay. This creates an integrity issue where deleted sensitive records may reappear after restart, contradicting user expectations and any retention/deletion semantics.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documents destructive data-management commands such as flush, clean, load/reload, and snapshot-related state changes without warning that they can overwrite, remove, or alter persisted memory data on disk. In an agent setting, exposing these commands without explicit confirmation or backup guidance increases the chance of accidental data loss or unsafe file operations by users or automations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The cron integration encourages automated periodic memory writes but does not warn that the content will be stored persistently, potentially contain personal or sensitive data, and may accumulate indefinitely across runs. In agent workflows, silent scheduled persistence can create privacy, retention, and compliance risks if users do not realize summaries and tags are being written to disk regularly.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script compiles and executes a generated C program from `/tmp` without user confirmation, which creates an arbitrary code-execution step during testing. In the skill context this is intended for WAL crash simulation, but it is still dangerous because running the script implicitly launches newly built native code that could be modified or abused in a shared environment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code performs destructive deletion of `/tmp/bench_hipool` automatically at startup with no warning, prompt, or disclosure to the operator. In a benchmark utility this is risky because running the binary immediately removes data from the filesystem, which may be unexpected if that path is reused or symlinked in an unsafe environment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The program deletes the benchmark directory again during teardown without any user-facing notice. Silent cleanup via `rm -rf` increases the risk of surprising data loss and makes the destructive behavior harder to audit or control.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script performs recursive deletion in /tmp without notice or confirmation. Even though the specific path is fixed, destructive operations without explicit disclosure are risky in an agent/skill setting because users may not expect local file removal, and symlink or path-confusion scenarios can increase harm on misconfigured systems.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script deletes benchmark database files without clearly informing the user. In isolation the file path is predictable and limited to /tmp, but undisclosed destructive behavior is still a security concern for agent-executed code because it violates least surprise and can remove data unexpectedly if names collide.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Starting a Redis server subprocess without prior explicit disclosure or opt-in can create an unintended background service and modify the local environment. In skill/agent contexts this is more dangerous because the user may only expect a benchmark, not daemon creation, which increases system exposure and operational risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code executes a destructive shell command, `rm -rf /tmp/hb_small`, without any safety checks, confirmation, or verification that the path is the intended benchmark directory. In a benchmark/helper program this is less severe than attacker-controlled command injection, but it is still dangerous because it can delete data unexpectedly and is especially risky if `/tmp/hb_small` is replaced by a symlink or the environment is manipulated.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The teardown repeats the same unchecked destructive deletion of a fixed directory path. Repeated cleanup increases the chance of unintended data loss if the path is pre-created, redirected, or shared with other processes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code performs destructive cleanup via `system("rm -rf /tmp/bm_*")` without any warning, confirmation, or scope restriction. In benchmark or agent contexts this is more dangerous because users may run the tool expecting local performance tests, not filesystem deletion affecting all matching temp directories.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The component persists arbitrary memory contents, keys, values, and tags to JSON files on disk under a predictable directory without any encryption, permission hardening, or explicit disclosure to users. In an agent-memory context this data can include prompts, secrets, tokens, or personal data, so silent persistence materially increases confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The WAL appends raw keys, values, and tags to disk in a local file without any protection, redaction, or access-control hardening. If this memory system stores secrets, tokens, prompts, or personal data, an attacker with local filesystem access can recover sensitive information from wal.log even after in-memory deletion or before snapshot compaction.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
}

static MemoryCtx *hipool_new(void) {
    system("rm -rf /tmp/bench_hipool");
    MemoryCtx *c = (MemoryCtx*)calloc(1, sizeof(MemoryCtx));
    memory_init(c, "/tmp/bench_hipool", 7);
    return c;
Confidence
83% confidence
Finding
rm -rf /tmp/bench_hipool"); MemoryCtx *c = (MemoryCtx*)calloc(1, sizeof(MemoryCtx)); memory_init(c, "/tmp/bench_hipool", 7); return c; } static void hipool_free(MemoryCtx *c) { memory_

Tool Parameter Abuse

High
Category
Tool Misuse
Content
}

static MemoryCtx *hipool_new(void) {
    system("rm -rf /tmp/bench_hipool");
    MemoryCtx *c = (MemoryCtx*)calloc(1, sizeof(MemoryCtx));
    memory_init(c, "/tmp/bench_hipool", 7);
    return c;
Confidence
83% confidence
Finding
rm -rf /tmp/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
memory_flush(c);
    memory_destroy(c);
    free(c);
    system("rm -rf /tmp/bench_hipool");
}

static void bench_hipool(int val_sz) {
Confidence
83% confidence
Finding
rm -rf /tmp/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
}

static void bench(int vs, const char *label) {
    system("rm -rf /tmp/hb_small");
    MemoryCtx ctx;
    memory_init(&ctx, "/tmp/hb_small", 7);
    uint64_t *s_set = (uint64_t*)calloc(N, 8);
Confidence
90% confidence
Finding
rm -rf /tmp/hb_small"); MemoryCtx ctx; memory_init(&ctx, "/tmp/hb_small", 7); uint64_t *s_set = (uint64_t*)calloc(N, 8); uint64_t *s_get = (uint64_t*)calloc(N, 8); char k[64], v[16

Tool Parameter Abuse

High
Category
Tool Misuse
Content
}

static void bench(int vs, const char *label) {
    system("rm -rf /tmp/hb_small");
    MemoryCtx ctx;
    memory_init(&ctx, "/tmp/hb_small", 7);
    uint64_t *s_set = (uint64_t*)calloc(N, 8);
Confidence
90% confidence
Finding
rm -rf /tmp/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
free(s_set); free(s_get);
    memory_destroy(&ctx);
    system("rm -rf /tmp/hb_small");
}

int main(void) {
Confidence
92% confidence
Finding
rm -rf /tmp/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal