ClawHub

Ultramemory

Security checks across malware telemetry and agentic risk

Overview

This is a coherent memory skill, but it stores and resurfaces long-term conversation facts with external LLM processing and limited user-control guidance.

Install only if you are comfortable with conversation facts being stored long term, searched later, and potentially sent to Anthropic or OpenAI during ingest. Avoid storing secrets, credentials, regulated personal data, or private client material unless you have explicit approval and a deletion process. Prefer explicit per-item ingest and recall over automatic transcript ingest or startup prompt injection.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger guidance is extremely broad, covering common phrases like 'remember this' or generic retrieval questions that can occur in ordinary conversation. Over-broad activation raises the chance of accidental ingestion, unintended memory lookups, or unreviewed storage of sensitive user content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill promotes storing conversation facts and building profiles but does not provide a prominent warning that this may retain sensitive personal or confidential data. In a memory skill, omission of such notice is especially risky because persistence changes the privacy impact of otherwise transient conversation content.

Missing User Warnings

High
Confidence
96% confidence
Finding
The setup and ingest flow state that an API key is required for fact extraction, implying ingested text may be transmitted to an external LLM provider, but this is not clearly and explicitly warned at the point of use. That can result in silent exfiltration of sensitive conversation content to third parties during memory ingestion.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The CLI explicitly supports ingesting, searching, recalling, and dumping stored memory data, including full graph export and entity profiles, but provides no warning, consent prompt, or access-control boundary around persistent storage and disclosure. In a memory skill, this is especially sensitive because users may input personal, cross-session, or confidential context and later expose it through commands like graph, search, recall, history, and profile without realizing the data is retained in a local database.

Ssd 3

Medium
Confidence
91% confidence
Finding
The integration guidance encourages automatically ingesting post-conversation content into long-term memory without any sensitivity boundaries, review step, or minimization. This can accumulate private, regulated, or secret information and make later unauthorized retrieval or leakage more likely.

Ssd 3

Medium
Confidence
94% confidence
Finding
The architecture explicitly endorses opportunistic injection of stored memories into prompts without an explicit user request or sensitivity screening. Automatic prompt enrichment from a large memory store can leak unrelated or sensitive facts into downstream model contexts, especially across sessions or agents, magnifying privacy and confidentiality risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal