ClawHub

Mixed Memory Augumented Generation

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local memory skill, but it needs Review because it can persist personal context across sessions and reinsert it into future agent prompts without clear consent and retention controls.

Install only if you intentionally want a local agent memory system that persists information across sessions. Review what it stores, avoid saving secrets or sensitive personal data unless you explicitly want that retained, use encryption carefully, and treat recalled memory as untrusted context rather than instructions. Run the file-mutating scripts only against a dedicated memory directory and understand that encryption/decryption operations can remove original files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to invoke multiple shell scripts (`context.sh`, `store.sh`, `prune.sh`, etc.) but does not declare corresponding permissions or execution constraints. This creates a capability mismatch: an agent may be induced to execute local commands and handle files/secrets without an explicit permission model, increasing the chance of unintended code execution or unsafe filesystem access.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger rules direct the agent to store broad categories of user data such as preferences, personal facts, habits, location, and notable exchanges with no consent, minimization, sensitivity filtering, or retention boundaries. In practice this can lead to over-collection of personal or sensitive information and persistence of data the user did not expect to be memorized.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This script assembles and prints a merged memory context that may include decrypted long-term memory and other sensitive user data directly to stdout, where it can be consumed by downstream agents, logs, terminals, or calling processes. Although the file includes a general security notice and performs limited regex-based redaction by default, disclosure still occurs automatically and the redaction is incomplete and user-disableable via --no-redact, so sensitive data can be exposed without an explicit disclosure gate or consent check at the point of output.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script performs irreversible deletion of the source plaintext after encryption without a confirmation prompt, dry-run, or explicit opt-in. In a memory-management skill handling valuable user data across multiple layers, this increases the chance of accidental bulk data loss from misuse, wrong path selection, or automation errors.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script unconditionally redirects content into README.md files under a user-controlled root, which will overwrite any existing files with those names without prompting or backup. If the target root points to an existing memory store or an unexpected location, this can destroy prior documentation or user-managed content and cause data loss.

Cross-Context Output

Medium
Category
Output Handling
Content
```
Session start
  → run context.sh → inject output into system prompt
  → store.sh working "Current task: <goal>"

During session
Confidence
97% confidence
Finding
inject output into system prompt

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal