ClawHub

Agent Memory Persistence

Security checks across malware telemetry and agentic risk

Overview

This is a local SQLite memory library whose main risk is that saved memories can persist sensitive user or session data if the installer uses it carelessly.

Install this only if you want agents or applications to keep local memories across sessions. Avoid storing secrets, credentials, payment data, or unnecessary personal information; choose a protected database path, apply restrictive file permissions or encryption where needed, and use expiresAt, delete, and cleanupExpired as part of a clear retention policy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes persistent storage of user- and session-linked memories, metadata, and embeddings, but provides no warning about sensitive data handling, retention, access control, or privacy considerations. In an agent memory skill, this omission increases the chance that deployers will store personal or confidential information insecurely or longer than intended, creating privacy and data protection risk.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The skill says to use it whenever an agent needs durable memory across sessions, but it does not define boundaries for when persistence is appropriate or require checks for consent, sensitivity, or data minimization. In agent contexts, broad activation guidance can cause routine storage of prompts, secrets, personal data, or transient context that should not be retained, increasing privacy and data-retention risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description presents durable SQLite-backed memory persistence without warning that stored content may include sensitive personal, session, or proprietary data. Because this skill is specifically designed for long-term retention across sessions with metadata and retrieval, omission of a user-facing warning materially increases the chance of unintended collection and persistence of sensitive information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal