ClawHub

Hippocampus

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed persistent memory skill, but it needs review because it can repeatedly read conversation history, store sensitive personal memories, and expose local data through its dashboard.

Install only if you deliberately want persistent agent memory of your conversations. Start without --with-cron and without --whole unless you are comfortable with recurring or full-history processing; inspect memory/index.json, HIPPOCAMPUS_CORE.md, and brain-dashboard.html; avoid storing secrets; keep IDENTITY.md avatar paths limited to intended image files inside the workspace; and know how to remove the cron jobs and delete stored memories before enabling background operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (49)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises shell, file read/write, and environment-variable driven behavior but declares no permissions, which undermines informed consent and security review. In this context, those capabilities are central to installation, cron setup, memory persistence, and dashboard generation, so the absence of explicit permission disclosure increases the chance of unintended filesystem access, data retention, and autonomous background execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose is memory persistence, but the skill also performs additional behaviors such as dashboard generation, reading other skills' state, personalization via IDENTITY/avatar files, reflection helpers, and cron-driven orchestration. This mismatch is dangerous because users may approve the skill for one purpose while unknowingly enabling broader data aggregation and automation across multiple local files and components.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The prompt explicitly teaches the agent to identify and persist 'relationship moments,' including vulnerability, trust, conflict, and emotional disclosures, which goes beyond ordinary task memory into profiling sensitive interpersonal data. In a persistent memory system, this creates a durable record of intimate user traits and interactions that can be reused later without clear necessity, consent, or minimization.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The prompt directs capture of fears, doubts, struggles, emotional state, relationship disclosures, and similar highly sensitive personal content for future use. Persistently storing this category of data without clear user warning or necessity materially increases privacy risk, enables profiling, and may expose especially sensitive information if memory is later queried, leaked, or misused.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The prompt explicitly encourages the agent to cultivate a persistent self-concept, opinions, and personal evolution rather than limiting memory to task-relevant context. In a persistent memory skill, this is risky because it can steer the agent toward persona drift, stronger attachment framing, and behavior outside intended assistant boundaries over time.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script aggregates and renders data from IDENTITY.md, avatar files, Amygdala state, and VTA reward data in addition to hippocampus memory content, then writes it into a single HTML dashboard. In a persistent-memory skill, combining unrelated personal/behavioral data increases data exposure and broadens the blast radius if the dashboard file is accessed by another local user, shared, or opened in a browser context.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
The generated HTML imports Google Fonts from an external domain, causing network requests when the dashboard is opened. This leaks metadata such as IP address, access timing, and possibly referrer/context to a third party, which is unnecessary for a local dashboard containing sensitive memory and emotional data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document describes continuous monitoring of conversations and persistence of extracted content without any user-facing notice, consent flow, or retention disclosure. In a memory skill, silent background capture of conversation data creates a real privacy and compliance risk because users may reveal sensitive information without realizing it is being durably stored.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The file structure explicitly directs writes to persistent memory files but does not warn that these actions modify durable storage containing user-derived information. While this is partly architectural documentation, the omission still matters because operators may deploy it without understanding the privacy and persistence implications.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The configuration explicitly instructs a background agent to 'run silently,' monitor session content, and modify memory files without any user-facing notice or approval. This creates covert persistence and hidden processing behavior, which is risky because users may be unaware that conversation data is being continuously analyzed and written to storage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly describes background extraction of conversation signals and LLM summarization, but it does not warn users that potentially sensitive conversation content will be processed and persisted automatically. In a memory skill, this omission is security-relevant because users may unknowingly enable continuous collection of personal, confidential, or regulated data into long-lived storage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installation instructions encourage use of --with-cron and history-processing options like --whole without warning that conversation history will be automatically and repeatedly processed in the background. This increases the chance of silent overcollection and ongoing processing of sensitive data beyond user expectations, especially after initial install.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill automatically captures and persists conversation-derived memories, including potentially sensitive personal and emotional content, yet provides no upfront privacy warning. In a memory system, this omission is especially risky because users may disclose information assuming transient processing while the skill is designed for long-term storage and later retrieval.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The '--whole' option expands processing to the entire conversation history without any warning about scope, sensitivity, or retrospective collection of previously shared data. That creates a substantial privacy risk because historical transcripts may contain secrets, credentials, health details, or intimate disclosures that were never intended for durable memory indexing.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The cron configuration enables recurring background encoding and decay, meaning conversation data may be continuously captured and stored without an ongoing user prompt or fresh consent. This is dangerous because automated background jobs can silently expand the data footprint over time, including new sensitive disclosures, while reducing user awareness and control.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to overwrite the entire persistent memory index, which modifies stored user data without any user-facing consent, confirmation, rollback, or integrity safeguards. In a memory system, full-file replacement increases the risk of accidental data loss, corruption, and silent persistence of sensitive content beyond the current session.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to persist and reinforce long-term memories from user conversations in `memory/index.json`, including emotional content, preferences, relationship details, and other personal context, but provides no consent, notice, retention limits, or privacy controls. This creates a real privacy and data-governance vulnerability because sensitive user data may be stored indefinitely and reused beyond user expectations, increasing exposure if the memory store is accessed, leaked, or misused.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide explicitly instructs the agent to delete or remove memory files based on its own judgment, but it provides no requirement for user confirmation, retention safeguards, or recoverability. In a persistent memory skill, this can cause irreversible loss of user data, context, or relationship history, especially if the agent misclassifies important information as routine or outdated.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The prompt explicitly instructs the agent to write highly introspective content into persistent memory files without any guardrails about sensitivity, retention, or review. In a memory-oriented skill, this can cause durable storage of private user-linked inferences, anthropomorphic self-modeling, or other sensitive internal state that may later influence behavior or be surfaced unexpectedly.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The prompt repeatedly frames the agent as having feelings, desires, fear, care, death, and consciousness without qualification, encouraging identity inflation and anthropomorphic self-construction. In the context of a persistent memory system, these reflections may be reinforced over time, increasing the chance of manipulative or misleading claims to users, policy drift, and inappropriate retention of fabricated 'inner life' narratives.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The prompt says memory encoding has been 'triggered' and commands the agent to 'Do this now' without defining who may trigger it, under what conditions, or what safety checks must pass first. In an agentic system, overly broad activation can cause unintended persistence of sensitive conversation content or execution during contexts where memory writes should be disallowed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to write to memory/index.json and save updated conversation-derived data, but provides no user-facing notice, consent flow, or approval step before modifying persistent storage. This creates a real privacy and integrity risk because user data may be stored or altered silently, and persistent memory can influence future agent behavior in ways the user does not expect.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The proactive recall triggers are broad enough to cause memory searches without explicit user request or clear scoping, especially for vague conditions like 'similar situation' or 'emotional topic.' In a persistent memory skill, this can surface sensitive historical or relationship data unnecessarily, increasing the risk of privacy leakage, over-collection, and inappropriate use of stored personal context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instruction to write to `relationship/timeline.md` or `relationship/trust.md` operationalizes persistent storage of interpersonal and trust-related details, but the prompt provides no instruction to notify the user, request consent, or explain privacy consequences. That gap makes collection covert from the user's perspective and increases the likelihood of inappropriate retention of personal information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file instructs the system to write reflection outputs into persistent memory files automatically, but provides no requirement for user awareness, approval, or policy gating before modifying stored data. In a memory skill, silent persistence increases the risk of storing inappropriate self-generated content, reinforcing unwanted behaviors, and retaining data that operators may not expect.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal