ClawHub

memory-attention-router

Security checks across malware telemetry and agentic risk

Overview

This skill is a local memory system, but it can automatically save and expose long-lived user and task memories with weak scoping and safeguards.

Review before installing. Use it only if you want an agent to keep durable local memory, and avoid letting it store secrets, credentials, private customer data, or sensitive personal details. Check where MAR_DB_PATH points, inspect saved memories periodically, and require explicit approval for memory writes, replacements, or deletions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Memory PoisoningPersistent Context Injection, Context Window Stuffing, Memory Manipulation
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill instructs the agent to execute a local Python script, read routed memory packets, inspect stored memories, and use an environment variable (`MAR_DB_PATH`) to determine database location, yet no permissions are declared. This creates a capability/expectation mismatch: a caller or framework may treat the skill as low-risk while it actually requires file and environment access, increasing the chance of unauthorized local data exposure or unsafe execution in less-restricted contexts.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The condition 'whenever an agent step needs a compact working-memory packet instead of raw history or plain RAG' is subjective and lacks operational boundaries. Ambiguous self-activation criteria can make the skill invoke itself broadly across many tasks, expanding access to stored memories and increasing the chance of context contamination, privacy leakage, or unintended persistence of transient information.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The condition 'whenever an agent step needs a compact working-memory packet instead of raw history or plain RAG' is subjective and lacks operational boundaries. Ambiguous self-activation criteria can make the skill invoke itself broadly across many tasks, expanding access to stored memories and increasing the chance of context contamination, privacy leakage, or unintended persistence of transient information.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The dedicated trigger-cues section reinforces the same broad activation terms and says to 'trigger immediately' without providing limiting context, exception cases, or disambiguation rules. In a memory-writing skill, overbroad immediate triggering is especially risky because accidental activation can both retrieve prior sensitive memory and persist new data based on casual phrasing.

Ssd 3

Medium
Confidence
95% confidence
Finding
This code persists user/task-derived content directly into long-lived SQLite tables as reflection summaries and working-memory packets, then exposes that content through broad list/inspect commands without any access control, redaction, minimization, or sensitivity filtering. In a memory-routing skill, retaining and later surfacing prior prompts, failures, constraints, and preferences can disclose sensitive user data, secrets, or internal workflow context to later callers or other agent steps.

Memory Manipulation

High
Category
Memory Poisoning
Content
## Trigger cues

Trigger immediately when the user states a durable rule or asks to preserve or replace memory, especially with phrases like:

- from now on
- remember this
Confidence
87% confidence
Finding
replace memory

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal