ClawHub

memory-orchestrator

Security checks across malware telemetry and agentic risk

Overview

This is a transparent local memory prototype that writes and reads workspace memory files, with privacy and path-scope caveats users should understand before enabling it.

Install only if you want a local, file-based memory system. Keep MEMORY_ROOT pointed at a dedicated workspace directory, review the memory/ folder periodically, and avoid sending secrets or highly sensitive personal data into automatic capture flows unless you have added deletion, retention, and redaction controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Tainted flow: 'SESSION_PATH' from os.environ.get (line 9, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def save_session(data):
    with open(SESSION_PATH, 'w', encoding='utf-8') as f:
        if yaml is None:
            f.write(dump_yaml_fallback(data))
        else:
Confidence
94% confidence
Finding
with open(SESSION_PATH, 'w', encoding='utf-8') as f:

Tainted flow: 'path' from os.environ.get (line 39, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def append_daily(events):
    day = datetime.now().astimezone().strftime('%Y-%m-%d')
    path = os.path.join(DAILY_DIR, f'{day}.md')
    with open(path, 'a', encoding='utf-8') as f:
        if os.path.getsize(path) == 0:
            f.write(f'# {day}\n\n')
        for ev in events:
Confidence
92% confidence
Finding
with open(path, 'a', encoding='utf-8') as f:

Tainted flow: 'path' from os.environ.get (line 39, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def upsert_object(path, data):
    with open(path, 'w', encoding='utf-8') as f:
        if yaml is None:
            f.write(dump_yaml_fallback(data))
        else:
Confidence
93% confidence
Finding
with open(path, 'w', encoding='utf-8') as f:

Tainted flow: 'out' from os.environ.get (line 38, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
counter[keyword] += text.count(keyword)
    day = datetime.now().astimezone().strftime('%Y-%m-%d')
    out = os.path.join(REFLECTIONS_DIR, f'{day}.md')
    with open(out, 'w', encoding='utf-8') as f:
        f.write(f'# Reflection {day}\n\n')
        f.write('## Reviewed\n')
        for name, _ in recent:
Confidence
89% confidence
Finding
with open(out, 'w', encoding='utf-8') as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs use of local scripts that read and write workspace files and invoke shell-accessible tooling, yet it declares no permissions or safety boundaries. This creates a trust and consent gap: an agent may perform file and command operations that the user or platform has not explicitly authorized, increasing the chance of unintended data access or modification.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The architecture explicitly describes extracting conversation-derived preferences, decisions, corrections, and topic activations and writing them into persistent memory artifacts, but it does not mention any user notice, consent, retention boundary, or opt-out. In a memory-orchestration skill, this omission is meaningful because the whole purpose is long-term capture of user data, increasing privacy risk and the chance of storing sensitive information without the user's awareness.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The recall trigger list includes very common conversational phrases such as '上次', '之前', '继续', and '还记得'. In a memory skill, overly broad triggers can cause unintended recall on ordinary chat turns, which may surface irrelevant or sensitive prior context and create privacy, correctness, and prompt-routing risks.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The write trigger list includes broad phrases like '以后', '默认', '不要', and '改成', which commonly appear in normal conversation without implying durable memory storage. In a persistent memory system, this can lead to accidental capture of transient instructions or sensitive preferences, causing privacy issues, stale state, and unwanted behavioral persistence across sessions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill says to extract memory-worthy events and write them immediately to persistent storage before answering, but it provides no explicit notice, consent flow, retention limits, or sensitivity filtering. In a memory system, this is especially risky because conversations can contain personal, confidential, or regulated data, which could be silently persisted and later resurfaced.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file defines a persistent local storage layout for conversational memory, including session state, daily logs, preferences, decisions, and reflections, but provides no guidance on handling sensitive personal data. In a memory-orchestration skill, this omission is security-relevant because it encourages durable storage of potentially private user information without retention limits, consent checks, access controls, or encryption expectations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The CLI performs persistent memory writes without any user-facing disclosure, preview, or confirmation step. In a memory-orchestration skill, that is more dangerous than usual because conversation text may contain sensitive personal data, causing silent retention beyond the user's expectations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The turn command automatically extracts and applies memory events whenever should_write is true, with no visible disclosure at the point of persistence. In this skill context, automated long-term memory capture increases privacy and consent risk because routine conversational input can be stored silently and chained into future recall.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal