ClawHub

Enhanced Memory

Security checks across malware telemetry and agentic risk

Overview

This is a coherent memory-search skill that reads local memory files, stores local indexes, and sends text to a configured Ollama embedding endpoint, with no artifact-backed evidence of deception or malicious behavior.

Install only if you are comfortable with the skill reading your memory directory plus named core markdown files, storing local searchable indexes, and sending indexed content and queries to Ollama. Keep OLLAMA_URL on a trusted local endpoint unless you intentionally want remote processing, and review or delete generated index files if they may contain sensitive or stale data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Tainted flow: 'req' from os.environ.get (line 134, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
"""Get embedding vector from Ollama."""
    data = json.dumps({'model': MODEL, 'input': [text]}).encode()
    req = urllib.request.Request(OLLAMA_URL, data=data, headers={'Content-Type': 'application/json'})
    with urllib.request.urlopen(req, timeout=30) as resp:
        return json.loads(resp.read())['embeddings'][0]
Confidence
93% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and instructs use of scripts that read and write workspace files and make local network calls to Ollama, but the manifest does not declare any permissions. That mismatch weakens security review and user consent because a caller may invoke a seemingly low-privilege skill that actually performs broader file and network operations.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script claims to embed memory files, but it also silently reads workspace-level files such as MEMORY.md, AGENTS.md, USER.md, SOUL.md, and research.md outside the specified memory directory. In this skill context, those files may contain sensitive instructions, user data, or operational notes, so broadening scope without explicit opt-in increases the chance of unintended indexing and downstream disclosure to the embedding service and vectors store.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script transmits chunked markdown content to an embedding API over HTTP by default and does not prominently warn that file contents leave the local process boundary. In a memory/search skill, indexed documents are likely to contain sensitive context, so undisclosed transmission to a service endpoint—especially if reconfigured away from localhost—creates a meaningful confidentiality risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends raw query text to the embedding service over HTTP without any explicit notice, consent, or transport protection guarantees. In this skill's context, queries may contain sensitive memory content, secrets, project details, or personal data, so unannounced network transmission creates a meaningful confidentiality risk even if the default target is localhost.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal