ClawHub

Remember

Security checks across malware telemetry and agentic risk

Overview

This is a transparent, instruction-only memory helper; it has real privacy considerations, but its behavior matches its stated purpose and does not show hidden or unsafe actions.

Install this only if you want the agent to keep persistent memory. Review what it saves, use the forget and never-remember controls, and avoid saving passwords, tokens, private health or financial details, or sensitive business information unless you intentionally want that context retained and reused.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs persistent storage of user-related information such as preferences, relationships, corrections, and commitments, but it does not include safeguards around consent, data minimization, sensitive-data exclusion, retention limits, or privacy disclosure. This creates a real risk of storing personal or sensitive information indefinitely, leading to privacy harm, policy violations, or misuse if the memory is later retrieved in the wrong context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to delete or archive stored memory entries during periodic maintenance, but it does not require any user-facing notice, confirmation, or consent before modifying persistent data. In a memory-management skill, silent deletion can remove information the user expects to persist, reduce transparency, and create privacy and accountability issues if records are altered without the user's awareness.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guidance says privacy-sensitive data may be deleted and that archiving should be preferred when uncertain, but it does not tell the user how sensitive memory is identified, handled, retained, or removed. In a skill dedicated to persistent memory, this lack of disclosure is risky because sensitive information could be stored, moved, or retained without informed user understanding or control.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal