ClawHub

Agents Refresh MD v1.1.2 🐾

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it advertises, but it creates recurring automation that can repeatedly read personal/context logs and rewrite persistent agent memory files.

Install only if you intentionally want an agent to maintain persistent memory on a schedule. Before enabling the cron task, review exactly which files it can read and write, keep MEMORY.md/HEARTBEAT.md under version control or backups, avoid storing secrets or sensitive personal details in USER.md or memory logs, and periodically inspect or disable the scheduled job if the summaries drift or are no longer wanted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest description materially expands the skill from a narrow context-refresh utility into broader memory extraction and lesson/idea-seed distillation. This mismatch is dangerous because it can hide actual data-processing behavior from reviewers and users, increasing the chance that the skill reads and transforms conversational logs or memory files beyond the expected scope.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The scheduled task says it will distill yesterday's logs and update MEMORY.md, which diverges from the advertised purpose of periodically reloading identity/context files and editing HEARTBEAT.md. A scheduled action with broader autonomous behavior is risky because users may authorize recurring processing under false assumptions, enabling unintended retention, summarization, or alteration of memory data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly advertises automatic and manual modification of user-maintained files such as MEMORY.md and HEARTBEAT.md, but it does not clearly warn users that installing or invoking the skill can overwrite or alter persistent context files. In a memory-management skill, silent or poorly disclosed writes are risky because they can change agent behavior over time, corrupt user-authored state, or cause unintended persistence via cron-driven updates.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill explicitly frames the agent around an 'immutable soul' and 'human-like continuity' model without any user opt-in or boundary-setting. This can bias agent behavior, encourage anthropomorphic persistence, and cause the agent to treat stale persona/memory files as authoritative across tasks, which is risky in multi-user or changing-context environments.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs edits to HEARTBEAT.md and installation of a recurring cron job, both of which create persistent state and automated future behavior, but it does not present a clear warning or consent step for those system changes. This is dangerous because a user may invoke the skill expecting transient assistance, while it silently establishes durable automation that continues to read and summarize files later.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The example text encourages automated updates to MEMORY.md and ToDo/task data via cron without any caution, approval boundary, or validation step. In an agent skill, this can normalize unattended modification of user/project state, increasing the chance of unintended file changes, stale or incorrect summaries overwriting useful context, or propagation of manipulated task data across long-running sessions.

Ssd 3

Medium
Confidence
95% confidence
Finding
The description promotes repeated reading of USER.md and summarization of memory and logs into durable markdown files, creating a built-in data retention pipeline. That can capture sensitive user information, operational details, or private context from prior sessions and preserve it beyond the original need, increasing exposure in case of later access or misuse.

Ssd 3

Medium
Confidence
97% confidence
Finding
The workflow and cron payload explicitly instruct repeated reads of AGENTS.md, IDENTITY.md, SOUL.md, USER.md, and recent logs, then durable summarization into MEMORY/ToDo artifacts. In context, the scheduled and repeated nature of this collection makes the data retention risk more serious because it continuously re-ingests potentially sensitive content without a fresh user decision each time.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal