ClawHub
Back to skill

Security audit

Memory Augment

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local memory skill, but users should treat its stored and auto-injected memories as persistent private data.

Install only if you want a local persistent memory layer. Do not store passwords, API keys, personal identifiers, or sensitive business data. Review ~/.memory-augment/storage.yaml periodically, consider disabling or narrowing auto_inject triggers, and back up the memory file before using delete or import commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The skill can export the full memory database and import arbitrary JSON into persistent storage, which materially expands its data-handling capability beyond simple retrieval. In a long-term memory component, unrestricted bulk export increases exfiltration risk, and import of unvalidated data can poison memory contents or persist attacker-controlled records that later influence agent behavior across sessions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes long-term storage of conversation history across sessions but does not clearly warn users that retained content can create privacy and cross-session disclosure risks. In an agent memory skill, this omission is meaningful because users may store sensitive operational details that later become accessible or re-surfaced in unrelated contexts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation advertises automatic context injection without explicitly warning that previously stored content may be inserted into future prompts or turns. That can cause unintended disclosure of prior conversation data, secrets, or sensitive project context, especially because the skill is specifically designed to feed memory back into agent execution.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The quoted trigger examples are ordinary conversational phrases like 'Remember that...' and 'Find all notes about...', which are likely to occur naturally in unrelated conversations. Broad activation like this can cause unintentional memory storage or retrieval, exposing prior conversation data or causing the agent to persist content the user did not intend to save.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Automatic context injection is described as occurring 'before each turn' with only generic relevance criteria, leaving activation and scoping underspecified. This is dangerous because persisted conversation data may be injected into unrelated tasks, causing privacy leakage, context poisoning, and unintended influence over future agent behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill prominently advertises persistent memory and automatic context injection but does not provide a strong warning that past conversation data may be silently reintroduced into future prompts. Without clear disclosure, users may reveal personal or project information assuming it stays contextual to one session, while the system later surfaces it in unrelated interactions.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list contains very broad, everyday terms like "income," "skills," and "preferences," which can match common conversation content and cause memories to be injected far more often than users would reasonably expect. In a long-term memory skill, this increases the chance of irrelevant or sensitive prior context being surfaced into active conversations, creating privacy leakage and prompt-context contamination risks.

Natural-Language Policy Violations

Low
Confidence
86% confidence
Finding
Automatic memory injection on "each_turn" means prior stored data may be inserted into every interaction regardless of necessity, and the high max_tokens setting amplifies the amount of potentially sensitive context exposed. In a memory system designed to persist cross-session information, always-on injection materially increases the risk of over-sharing personal data, irrelevant context bleed, and downstream misuse by agents or tools consuming the prompt.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The documented trigger activates memory injection whenever the user asks about a broad term like "skills," which is an overly loose natural-language condition. In a long-term memory system, this can cause unrelated or sensitive stored memories to be surfaced without explicit user intent, increasing the risk of privacy leaks and prompt-context contamination.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The demo explicitly shows automatic injection of stored memories into context but provides no warning, consent mechanism, or privacy guardrail. Because this skill is designed for long-term cross-session memory, silent retrieval and injection can expose prior conversation data, preferences, or internal project information in ways users may not expect.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The demo explicitly describes automatic injection of stored memories into future conversations, including user preferences and prior decisions, without any indication of consent controls, scoping, sensitivity filtering, or disclosure boundaries. In a long-term memory skill, this creates a realistic risk of unintended privacy leakage or over-sharing of prior context into unrelated tasks, especially when memories may contain sensitive personal or operational information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill persists arbitrary memory content to a predictable file under the user's home directory with no privacy notice, consent flow, encryption, or permission hardening. Because this component is specifically designed to retain cross-session conversation history and learned information, it is likely to store sensitive personal or operational data, making local disclosure and unintended long-term retention a realistic risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal