ClawHub

Memoria

Security checks across malware telemetry and agentic risk

Overview

Memoria is a real memory/sync tool, but its agent instructions encourage broad automatic storage and Notion syncing of sensitive personal information without clear consent gates.

Install only if you explicitly want an agent to keep a persistent memory vault and possibly sync it to your own Notion workspace. Before use, disable or avoid auto-sync for sensitive content, do not store secrets or credentials, review the vault regularly, and understand that Notion setup causes saved memories to be transmitted to a third-party service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill instructs use of environment variables and shell commands (`export MEMORIA_VAULT=~/memory`) but does not declare corresponding permissions or clearly scope that capability. This creates a transparency and control gap: the agent may access or rely on local environment state without users being warned through permission metadata.

Missing User Warnings

High
Confidence
97% confidence
Finding
The instructions explicitly encourage storing sensitive personal data such as health, location, and related personal facts, then elsewhere direct the agent to sync stored content to Notion. This creates a clear privacy and data-handling risk because sensitive user information may be collected and transmitted to a third-party service without explicit, informed, per-item consent or data-minimization controls.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Notion integration states that auto-sync is enabled so that every store/remember operation automatically pushes content to Notion, but it does not prominently warn that this means immediate remote transmission of potentially sensitive memory contents. Users or downstream agents may therefore treat storage as local-only when in fact data is being sent to a third-party platform by default.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README describes bidirectional sync that can create, update, and overwrite both local markdown files and Notion content, but it does not clearly warn users that running sync may modify persistent data on both sides. In an agent context, this is risky because an autonomous agent may execute sync operations without explicit user confirmation, causing unintended disclosure, propagation, or corruption of stored information.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The agent instructions explicitly tell the agent to store important information immediately and list highly sensitive categories such as health data and credential-related context, without requiring user consent, minimization, or any privacy boundary. This creates a clear risk of unauthorized retention of sensitive personal data and subsequent disclosure through local storage, logs, or external sync to Notion.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation description is extremely broad, covering ordinary discussion of preferences, relationships, projects, and facts. That breadth increases the chance the skill is activated during routine conversation and begins storing or syncing data in situations where the user did not explicitly request memory retention.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill directs proactive capture of personal information and says to sync after storing, while also stating 'If in doubt, store it.' This encourages collection and onward transmission of sensitive user data without informed consent, purpose limitation, or a privacy warning.

Missing User Warnings

High
Confidence
97% confidence
Finding
The Notion setup and sync section instructs the agent to configure tokens and push memories to Notion but does not warn that user memories may be transmitted to a third-party service. This omission can lead to silent exfiltration of personal or sensitive information to an external platform.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The CLI requires the Notion integration token via a command-line argument, which commonly exposes secrets through shell history, process listings, audit logs, and CI job output. Because this skill manages persistent memory and syncs potentially sensitive agent data to Notion, leaking the token could let an attacker access or modify synced workspace content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
`replacePageContent` unconditionally enumerates all existing child blocks on the target page and deletes them before appending new content. In a memory-management skill that syncs potentially important user data to Notion, calling this on the wrong page, with stale state, or without explicit confirmation can cause irreversible data loss or overwrite user-managed content, making the issue more dangerous in this context.

Ssd 3

High
Confidence
98% confidence
Finding
The agent integration section directs the agent to store important information immediately, including highly sensitive categories, and then says to always sync after storing. Because this is framed as operational guidance for an AI agent, it materially increases the chance of indiscriminate collection and exfiltration of user data without contextual necessity, consent, or purpose limitation.

Ssd 3

High
Confidence
98% confidence
Finding
The proactive trigger rules instruct the agent to automatically capture personal disclosures such as name, location, medications, work, commitments, and relationships based on conversational phrases alone. In the context of an agent memory skill, this is especially dangerous because it operationalizes surveillance-like behavior and can lead to persistent retention and syncing of sensitive personal data without meaningful notice or consent.

Ssd 3

High
Confidence
99% confidence
Finding
These instructions encourage broad retention of user-provided information, including sensitive details, and pair that with a default operational workflow that pushes stored data to Notion. In a memory skill for AI agents, this is especially dangerous because the skill is specifically designed to persist conversational data, turning transient user disclosures into durable and externally synchronized records.

Ssd 3

High
Confidence
97% confidence
Finding
The documentation instructs agents to store user facts and then 'always sync' them, effectively promoting external transmission of potentially sensitive semantic data as a default behavior. Because this skill's purpose is persistent memory management, the context increases the danger: it operationalizes routine exfiltration of personal context to a third-party service without consent gating or sensitivity checks.

Ssd 3

High
Confidence
99% confidence
Finding
The instructions explicitly tell the agent to proactively retain and sync user personal details by default, including potentially sensitive categories such as health, location, and relationships, without user-request gating. In a memory skill, this context makes the issue more dangerous because retention is the core function, so the risky behavior is systematic rather than incidental.

Ssd 3

High
Confidence
99% confidence
Finding
The pattern-based triggers instruct immediate recording of disclosures like name, medications, residence, and employer. This automates ingestion of highly sensitive personal data from normal conversation, creating substantial privacy, profiling, and data-sharing risk if the memory store or sync target is accessed or misused.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal