ClawHub

Elite Longterm Memory 1.2.3

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent long-term memory tool, but it tells agents to persist conversation details silently and recommends external memory services without enough privacy controls.

Install only if you intentionally want the agent to keep durable memory. Do not store secrets, credentials, regulated data, private personal details, customer data, or confidential source context. Enable SuperMemory or Mem0 only after accepting that conversation-derived data may be sent to external providers, and regularly review/delete local memory files, vectors, and Git notes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill markets itself as a 'bulletproof' multi-layer memory system with WAL, vector search, git-notes, and cloud backup, but the document mostly provides manual setup guidance and aspirational instructions rather than implemented safeguards. This mismatch is dangerous because users may rely on persistence, privacy boundaries, or backup behavior that does not actually exist, leading to silent data loss or unsafe assumptions about where sensitive conversation data goes.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The documentation encourages integrating unrelated third-party cloud memory services and auto-extraction tooling beyond the declared core setup. This expands the trust boundary and can cause users to send conversation data to additional providers without understanding the security and privacy implications.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes automatic fact extraction from conversations and optional cloud sync, but it does not clearly warn users that potentially sensitive conversation content may be transmitted to third-party services or stored outside the local workspace. In an agent memory skill, this is especially risky because users may assume memory operations are local and may unknowingly expose secrets, personal data, or proprietary code context.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to silently store user decisions and preferences without a clear notice, consent model, or sensitivity filter. Silent retention of user-provided information is risky because users may disclose personal, confidential, or regulated data without realizing it will be persisted.

Missing User Warnings

High
Confidence
97% confidence
Finding
Optional cloud backup and automatic extraction are presented without an explicit warning that conversation content may be transmitted to third-party services. This is dangerous because it can lead to inadvertent exfiltration of sensitive prompts, credentials, internal code, or personal data outside the local environment.

Ssd 3

Medium
Confidence
94% confidence
Finding
The instructions tell the agent to silently retain and persist user conversation details across several storage layers, including optional cloud backup and auto-extraction. This broad persistence model increases the chance of oversharing, unauthorized retention, and long-lived exposure of sensitive information across local and external systems.

Ssd 3

Medium
Confidence
95% confidence
Finding
The WAL rules require recording user statements before replying, creating a blanket capture policy that applies regardless of sensitivity or necessity. A mandatory 'log first' rule is dangerous because it normalizes storing everything, including secrets and one-time sensitive disclosures, before any review or filtering can occur.

Ssd 3

Medium
Confidence
93% confidence
Finding
Promoting automatic fact extraction from conversations encourages indiscriminate harvesting of user content into durable memory. Without strong guardrails, extracted 'facts' may include personal data, secrets, or incorrect inferences that are then retained and reused across sessions.

Session Persistence

Medium
Category
Rogue Agent
Content
- [ ] ...
```

**Rule:** Write BEFORE responding. Triggered by user input, not agent memory.

### Layer 2: WARM STORE (LanceDB Vectors)
**From: lancedb-memory**
Confidence
90% confidence
Finding
Write BEFORE responding. Triggered by user input, not agent memory. ### Layer 2: WARM STORE (LanceDB Vectors) **From: lancedb-memory** Semantic search across all memories. Auto-recall injects releva

Session Persistence

Medium
Category
Rogue Agent
Content
User: "Let's use Tailwind for this project, not vanilla CSS"

Agent (internal):
1. Write to SESSION-STATE.md: "Decision: Use Tailwind, not vanilla CSS"
2. Store in Git-Notes: decision about CSS framework
3. memory_store: "User prefers Tailwind over vanilla CSS" importance=0.9
4. THEN respond: "Got it — Tailwind it is..."
Confidence
91% confidence
Finding
Write to SESSION-STATE.md: "Decision: Use Tailwind, not vanilla CSS" 2. Store in Git-Notes: decision about CSS framework 3. memory_store: "User prefers Tailwind over vanilla CSS" importance=0.9 4. THE

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal