ClawHub

Memory Ops

Security checks across malware telemetry and agentic risk

Overview

This is a real PostgreSQL memory skill, but it broadly and durably stores chat and delegation context with weak scoping and no clear retention or deletion controls.

Install only if you intentionally want PostgreSQL-backed agent memory. Before use, replace the hardcoded user and agent values, narrow when memory runs, add explicit save/forget controls, set retention and deletion rules, and avoid storing secrets or regulated personal data unless you have clear controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The SQL hard-codes memory reads and writes to user_id='ian' and agent='jarvis', which creates identity confusion and can cause data from one specific user/agent context to be accessed regardless of the actual caller. In a multi-user or reusable skill setting, this risks unauthorized cross-session data access, incorrect attribution, and privacy violations because the queries are not scoped dynamically to the authenticated principal.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill’s description says it should be used broadly whenever responding, delegating, consolidating context, or maintaining history, which can cause pervasive invocation across ordinary interactions. In a memory/persistence skill, that broad trigger materially increases privacy and retention risk because routine user content may be stored even when persistence is unnecessary.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill mandates saving user prompt context and delegation content to persistent PostgreSQL memory without any user-facing notice, consent flow, or retention limitation. This creates a real risk of silently collecting personal, confidential, or regulated data and retaining it beyond the immediate interaction.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file persists raw prompt content, delegation prompts, and delegation results into long-term storage, but nothing in this code indicates consent, minimization, redaction, or retention controls. That is dangerous because user inputs and agent-to-agent messages can contain secrets, personal data, or sensitive business information that become retrievable later, expanding the blast radius of any misuse or compromise.

Ssd 3

Medium
Confidence
96% confidence
Finding
Requiring the system to always save user prompt context and delegation content creates a direct pathway for sensitive data to be copied into persistent memory and audit records. The danger is amplified by the word 'sempre' and by the operational context of responding and delegating, where users may disclose credentials, personal data, internal business information, or other secrets unintentionally.

Ssd 3

Medium
Confidence
97% confidence
Finding
The handoff procedure explicitly requires saving the full prompt sent to other agents and the result summary, which can preserve sensitive user context beyond the original processing boundary. This broadens exposure by duplicating potentially confidential content into long-lived storage and makes downstream compromise, misuse, or over-retention more damaging.

Ssd 3

Medium
Confidence
96% confidence
Finding
The seeded rule explicitly instructs the system to save the full context of every received and delegated prompt, which creates broad retention of potentially sensitive user data, secrets, and third-party information. In a memory system, this increases the risk of overcollection, unauthorized reuse, cross-session disclosure, and privacy noncompliance if prompts contain credentials, personal data, or confidential business content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal