ClawHub

Memory Pipeline

Security checks across malware telemetry and agentic risk

Overview

This memory skill appears purpose-built rather than malicious, but it can persist private session data and send workspace memory to external LLM providers with limited consent controls.

Install only if you are comfortable with your notes, transcripts, imported ChatGPT conversations, and memory files being stored in the workspace and potentially processed by configured LLM providers. Use dedicated API keys, review generated memory files, avoid importing highly sensitive exports, disable or tightly configure after-action hooks if needed, and prefer dry-run/review workflows before indexing large archives.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script contains a hard-coded denylist of medical/research keywords that causes matching conversations to be silently excluded from ingestion. In a generic memory-ingestion tool, topic-based suppression is not necessary for core functionality and can be used to selectively hide sensitive or operationally important data from downstream memory, audits, or reviews. The skill context increases concern because this tool is part of a memory pipeline, so selective omission directly shapes what the agent can remember and act on.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script actively searches environment variables and local config files for API keys, then uses any discovered credential to send workspace-derived content to third-party LLMs. This creates implicit data egress behavior and can surprise users who did not expect local memory, identity, or notes to be transmitted off-host just because credentials happened to be present.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The code assembles sensitive workspace material including SOUL.md, IDENTITY.md, USER.md, todos, extracted facts, and recent notes into a prompt and transmits it to external APIs. In a memory system, this context is especially likely to contain private, persistent, and user-specific information, so the exposure risk is materially higher than generic summarization.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script enumerates a fixed transcript directory under the user's home directory outside the detected workspace and uses its contents as source material. In a memory-ingestion skill, this broadens the trust boundary and can pull in sensitive cross-project conversation history without explicit consent, creating privacy and unintended data-ingestion risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The setup section says it will create a memory directory and run the full pipeline, but it does not clearly warn that this modifies the workspace and generates durable memory artifacts. Users may run setup expecting dependency checks only, not immediate extraction, linkage, briefing generation, and persistent file creation.

Missing User Warnings

High
Confidence
96% confidence
Finding
The external ingestion feature imports ChatGPT exports into searchable workspace memory without a strong privacy warning, even though such exports often contain highly sensitive personal, business, medical, or credential-adjacent content. Once imported, the data may be indexed, linked, surfaced in briefings, or transmitted onward to external LLM providers during later pipeline stages.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The hook documentation describes automatic after-action summaries and memory file updates, but does not prominently warn that session content may be appended after each session. Automatic persistence increases the risk that sensitive prompts, operational details, or user data are retained longer than intended and later reused or disclosed.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The guide instructs users to ingest daily notes and session transcripts, then use external LLM providers, but it gives no privacy warning that sensitive data may be transmitted off-host. In the context of a memory pipeline, these sources can contain credentials, personal data, internal discussions, or proprietary information, so silent external processing materially increases data leakage risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Sensitive context is sent to external LLMs without an explicit user-facing warning, confirmation, or audit trail. Users may reasonably assume a memory/briefing helper operates locally, making the undisclosed network transfer a privacy and trust violation.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The script silently reads credentials from environment variables and well-known config files, enabling remote behavior without user awareness at runtime. While credential discovery itself is common, doing so in a tool that then exfiltrates workspace memory increases the risk of unintended external use.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script sends daily memory notes or harvested session transcript content to third-party LLM APIs without any explicit consent, warning, redaction, or allowlist. Because those sources may contain sensitive user data, secrets, personal information, or proprietary project context, this creates a real confidentiality risk through external transmission and processing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script transmits fact subject/content to OpenAI's embeddings API, which can include sensitive memory data, but it provides no explicit consent gate, disclosure, redaction, or data-classification check before exfiltrating workspace-derived content. In a memory pipeline that ingests broad personal or operational context from local files, this creates a real confidentiality risk because users may not realize local memory is being sent to a third party whenever an API key is present.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The plugin automatically writes after-action notes to a durable file at the end of every run without any user confirmation or visible notice in this code path. Because the persisted content includes model output and execution metadata, this creates an unexpected persistence channel that can store sensitive or regulated information in the workspace.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code persists session-derived content to disk via appendFile, including summaries of the final answer and tool usage, without any notice, consent check, minimization, or sensitivity filtering in this component. In a memory-management skill, this creates a real privacy and data-retention risk because prompts, outputs, and tool traces can contain secrets, personal data, or other sensitive operational context that becomes durably stored.

Ssd 3

Medium
Confidence
93% confidence
Finding
The prompt bundles untrusted and potentially sensitive workspace text directly into an LLM request, which can cause private content to be reproduced, transformed, or emphasized in generated output. Because the generated briefing is designed to persist and be loaded at future session start, leaked or manipulated content may become sticky across sessions.

Ssd 1

Medium
Confidence
95% confidence
Finding
The model is instructed to distill and preserve whatever appears in raw context, but that context comes from writable workspace files like notes, identity, and user content. An attacker who can influence those files can inject instructions or misleading content that gets elevated into `BRIEFING.md`, causing persistent prompt injection and behavior steering in later sessions.

Ssd 3

Medium
Confidence
94% confidence
Finding
The script is explicitly designed to mine conversations and notes for facts, decisions, preferences, and commitments, then persist them as durable memory. Without safeguards for sensitive content classes or user approval boundaries, this can capture private, regulated, or security-relevant information and retain it long-term beyond the original context.

Ssd 3

Medium
Confidence
97% confidence
Finding
The transcript reader harvests recent user and assistant messages wholesale and forwards them into the extraction pipeline, which then turns them into persistent facts. Because there is no semantic filtering, provenance restriction, or sensitivity gate, secrets or intimate user data mentioned in normal conversation can be silently transformed into durable memory and later reused or exposed.

Ssd 3

Medium
Confidence
95% confidence
Finding
This hook persists `finalAnswerText` and `toolCalls` into a durable memory file, which can capture secrets, private prompts, file contents, credentials returned by tools, or sensitive operational history in natural language form. In a memory-management skill, that persistence behavior is especially risky because long-term retention is a core feature, increasing the chance of later exposure, unintended reuse, or ingestion into future prompts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal