ClawHub

Reflective Memory

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent memory tool, but it persistently changes agent integrations and can automatically capture sessions and index workspace files, so it deserves review before installation.

Install only if you want a persistent agent memory layer. Review and configure tool integrations, workspace indexing paths, excludes, and provider settings first, especially if the workspace may contain private source, customer data, or secrets. Use local providers or disable broad indexing if you do not want content summarized or embedded through external services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
capture_output=True,
                timeout=60,
            )
            subprocess.run(
                [npm, "run", "build"],
                cwd=str(plugin_dir),
                check=True,
Confidence
83% confidence
Finding
subprocess.run( [npm, "run", "build"], cwd=str(plugin_dir), check=True, capture_output=True, timeout=30,

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal