ClawHub

一套优雅的模块化智能记忆系统,支持 embeddings、reranker 和 Flomo 笔记集成。

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real memory/search skill, but it ships a hardcoded API key and can send user notes and memories to a third-party API without clear disclosure.

Install only if you are comfortable sending memory contents, search queries, and imported notes to Edgefn or another configured provider. Rotate/remove the bundled API key before use, avoid importing secrets or regulated personal data, and review the Smart Memory migration path before enabling integration on existing memories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (17)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
A README file should be inert documentation, but this one includes executable shell commands after the markdown content, including changing directories and running a test file. This is dangerous because tooling or users that treat the file as trusted documentation may accidentally execute appended commands, enabling unexpected code execution and supply-chain style abuse.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
`parseExport` claims to parse provided export content but completely ignores `htmlContent` and returns fixed sample notes. In a skill adapter context, this can silently fabricate data, cause users to believe imports succeeded when no real parsing occurred, and poison downstream memory/storage with incorrect content.

Intent-Code Divergence

Low
Confidence
93% confidence
Finding
The cache key is derived only from the combined text length and count, not the actual text content. Different inputs with the same length can collide, causing one user's embeddings to be returned for unrelated text, which can corrupt downstream behavior and potentially leak information across requests if embeddings are reused across tenants or contexts.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The function claims to parse provided export content but ignores the input and returns hard-coded notes. This is dangerous because downstream systems may trust fabricated data as if it came from the user’s export, causing silent data integrity failures, misleading imports, and incorrect decisions based on false content.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code claims to clear related search cache entries after memory changes, but it only deletes a fixed 'recent' key while actual search results are cached under per-query keys generated by _generateSearchCacheKey(). This can return stale search results after add/update/delete operations, causing data integrity issues and potentially exposing deleted or outdated memory content to callers.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The file contains a hardcoded live API key and is explicitly configured to call a real external API endpoint. Hardcoded secrets are easily leaked through source control, logs, or artifact sharing, enabling unauthorized API use, billing abuse, and possible access to associated remote resources.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly supports adding memories and importing Flomo data but gives no warning that content may be stored, indexed, or retained, which can lead users to ingest sensitive personal notes without informed consent. In a memory/search skill, this omission is security-relevant because the feature is centered on persistent handling of potentially private data rather than a transient operation.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation shows importing Flomo notes into a memory system that also uses external embedding/reranker providers, but it does not warn that note contents may be transmitted to third-party APIs. This creates a privacy and data-handling risk because users may unknowingly upload sensitive personal notes, credentials, or proprietary information to external services.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This provider sends all input texts to a third-party embeddings API over the network, which can expose potentially sensitive user content outside the local trust boundary. The code contains no built-in consent, redaction, allowlisting, or disclosure mechanism, so secrets, personal data, or proprietary text passed into it may be unintentionally exfiltrated to an external service.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The provider sends the full query and documents to a third-party API endpoint for reranking, which can expose sensitive or regulated data if upstream callers pass private content. In an agent/memory context, documents may contain user memory, prompts, or secrets, so external transmission without explicit consent controls, minimization, or redaction increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This test script sends hardcoded test content to a real third-party API during embedding generation and later memory/search operations, but it provides no explicit warning, consent flow, or safeguard to ensure operators understand data will leave the local environment. In a testing context, this can normalize accidental transmission of sensitive or proprietary text if developers replace the sample strings with real data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The service sends raw memory contents to the configured embedding provider during add/update and sends raw search queries plus candidate documents to the reranker during search. Because this component appears to manage potentially sensitive user memory, forwarding that data to external providers without any built-in consent gate, redaction, or locality enforcement creates a real privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The migration logic sends existing memory contents and metadata into `memoryCore.addMemory()`, and the integration config defaults to a remote API base URL. That means previously stored data may be transmitted to an external service automatically during integration, without an explicit consent gate, preview, or data-classification check.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This provider transmits caller-supplied texts to a third-party embeddings service over the network, which can expose sensitive prompts, documents, or personal data if the caller is unaware of the external processing. In an embeddings component, this behavior is functionally expected, but the lack of explicit disclosure, consent, or data-classification guardrails increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This provider transmits the full query and document contents to a third-party reranking service, which creates a real data-exposure risk if those inputs contain sensitive, proprietary, or regulated information. The file performs no consent, redaction, classification, or policy gating before exfiltrating content off-host, so deployments may leak data unexpectedly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends test text and memory content to a remote service using the configured API key without any explicit user warning, consent flow, or clear disclosure in the script behavior. This creates a data-handling and privacy risk because operators may run the test assuming it is local while content is actually transmitted off-host.

External Transmission

Medium
Category
Data Exfiltration
Content
"verbose": true,
    
    "apiKey": "sk-BrwHc1ZiaEGQ1GecD3D760384b874795A194882c2cF3AbE6",
    "baseUrl": "https://api.edgefn.net/v1",
    
    "embeddingProvider": {
      "type": "edgefn",
Confidence
99% confidence
Finding
https://api.edgefn.net/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal