ClawHub

Memory Pruner

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill’s memory-cleanup purpose is clear, but the runnable CLI it tells the agent to use is not included, even though it can prune or compress persistent agent memory.

Review this skill carefully before installing. Its purpose is reasonable, but the actual memory-pruner executable is missing from the package, so you cannot verify the claimed safe deletion, backup, or dry-run behavior from the provided artifacts.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI04: Agentic Supply Chain Vulnerabilities
Medium
What this means

If an agent tries to use this skill, it may execute an unreviewed or missing local command named memory-pruner, which is especially risky because the documented function can delete or rewrite agent memory.

Why it was flagged

The skill declares a shell runtime entry, while the supplied manifest contains only SKILL.md and config.json and no memory-pruner executable or install specification. That creates a provenance gap for what command would actually run.

Skill content
"entry": "memory-pruner", "runtime": "shell"
Recommendation

Use only after the package includes the actual CLI source or clearly declares a trusted external binary, and verify that dry-run, confirmation, and backup behavior are implemented.

#
ASI06: Memory and Context Poisoning
Low
What this means

Legitimate pruning could still remove useful memories or merge details in a way that changes future agent responses.

Why it was flagged

The skill intentionally modifies persistent agent memory by pruning and compressing entries. This is purpose-aligned, and the documentation mentions confirmation and backups, but the user should recognize that it can affect future agent context.

Skill content
- **Auto-prunes old memories** — Removes entries older than configurable threshold
Recommendation

Run dry-run first, review all proposed deletions or merges, keep backups, and restrict the tool to the intended memory directory.