ClawHub

Triple Memory

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate memory skill, but it tells agents to silently save and reuse persistent context while enabling broad automatic memory capture and workspace search.

Install only if you intentionally want automatic persistent memory. Before enabling it, review the dependent memory tools, decide what categories may be stored, disable or constrain auto-capture for sensitive work, avoid putting API keys in shared files, and make sure users can inspect, edit, and delete saved memories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to perform memory operations silently and not disclose storage to users. This is dangerous because it enables retention of user-provided information across sessions without informed consent or visibility, increasing privacy, compliance, and trust risks.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill describes automatic capture of preferences, decisions, and facts into persistent memory without warning users that their information may be stored. Broad, background persistence of conversational data can capture sensitive personal or organizational information unintentionally, creating privacy and data governance exposure.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The listed triggers such as "remember," "prefer," "my X is," and "I like/hate/want" are so broad that they are likely to match ordinary conversation rather than deliberate memory-save requests. This raises the chance of over-collection, storing inaccurate transient statements, or capturing sensitive data that the user did not intend to persist.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The setup template explicitly instructs the agent to run a sync command "silently," which encourages hidden state-changing behavior in the repository or memory backend without user awareness. In a memory skill, silent synchronization can modify notes or metadata stores and obscure when persistent context is being read or written, weakening user consent and auditability.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
Directing an agent to perform an action silently is itself a risky control pattern because it normalizes concealed behavior and bypasses informed user oversight. Even if the command is operationally legitimate, hiding it in an agent workflow increases the chance that repository changes, memory updates, or data pulls occur without the user realizing a persistent side effect has happened.

Missing User Warnings

Low
Confidence
94% confidence
Finding
The script writes query results to a predictable path in /tmp, which is globally accessible on many systems and vulnerable to disclosure, tampering, or symlink attacks. Because this skill is explicitly a memory system handling persistent agent context, the temporary file may contain sensitive workspace data, making the exposure more serious than a generic low-severity temp-file usage issue.

Ssd 3

Medium
Confidence
98% confidence
Finding
The instruction to silently retain user information across sessions removes transparency and user awareness around persistence. In the context of a memory skill, this makes the behavior more dangerous because cross-session retention is the core function and can accumulate personal, confidential, or regulated data over time.

Ssd 3

Medium
Confidence
94% confidence
Finding
The configuration enables both autoRecall and autoCapture for a persistent memory system without defining boundaries for sensitive data, retention, or filtering. In this skill context, that is especially dangerous because the tool is designed to aggregate cross-session context, so it can unintentionally store secrets, personal data, or sensitive workspace content and then surface it later in unrelated prompts or contexts.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal