ClawHub

Context Memory

Security checks across malware telemetry and agentic risk

Overview

This skill openly saves local context notes and snapshots to help long sessions survive compaction, with no evidence of exfiltration or hidden destructive behavior.

Install this only if you want local session memory. Review or delete saved handoffs periodically, keep secrets and personal data out of conversations that may be snapshotted, and add git-ignore or cleanup rules for .working-state and session-memory files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the host to run shell commands and read transcript/files (`bash context-usage.sh`, `bash compaction-extract.sh`, `tail`, `jq`, reading `.working-state/*`) while the metadata declares no permissions. This creates a capability/permission mismatch that can bypass operator expectations and risk review; in this context-management skill, those commands process sensitive conversation history and filesystem state, increasing the chance of unintended data exposure or unsafe hook execution.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented pattern explicitly persists extracted conversation context to disk via an automatic Stop hook, but the documentation does not mention user notice, consent, retention limits, or handling of sensitive data. In a context-management skill, this is especially risky because the saved snapshots are likely to contain design decisions, secrets, internal URLs, credentials, or other sensitive session content that users may assume remains ephemeral.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly proposes automatically reading local state files and reinjecting missing decisions back into the agent context after compaction, without any user notification or consent boundary. This creates a context-integrity risk: stale, sensitive, or attacker-influenced data from local files can silently steer subsequent model behavior, and the user may not realize the agent is operating on reintroduced hidden context.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The recommendation to write a pre-compact snapshot to `.working-state/pre-compact-snapshot.md` introduces persistent storage of potentially sensitive conversational context without any warning, retention policy, or access controls. In a memory-management skill, this is especially risky because the stored snapshot may contain decisions, task state, or other high-value context that can later be exposed, reused out of context, or tampered with for prompt-injection-style influence.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs the agent to create and persist operational state in `.working-state/`, including plans and decision logs, across compaction and session boundaries. Without an explicit warning, consent mechanism, retention policy, or safeguards against storing sensitive data, this can cause unintended local data retention and overwrite behavior, especially in repositories containing secrets, proprietary information, or multi-user workspaces.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document explicitly recommends persisting handoff notes to disk so context survives compaction, but it does not warn that these files may contain sensitive project context, credentials, security decisions, or user data. In a context-memory skill, this increases risk because the whole purpose is to retain information across sessions, so accidental long-term storage and later re-ingestion of sensitive material is plausible.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The prompt injection section instructs the agent to automatically write a handoff document before phase completion, but it provides no safeguard such as user confirmation, review, or content filtering before persistence. Because this skill is specifically about automatic cross-session memory transfer, the lack of review makes it easier for an agent to persist sensitive or prompt-injected content into durable files and then reload it in later stages.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script persists the last assistant message into a session handoff file automatically and without any consent, redaction, or sensitivity checks. Because assistant messages can contain user-provided secrets, internal data, or regulated content echoed during the session, this creates a real confidentiality risk by expanding retention and leaving sensitive data on disk in a predictable location.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill’s purpose is cross-session knowledge transfer, which makes automatic persistence of assistant context more dangerous because the design explicitly increases data retention across phase boundaries. Writing up to 5000 bytes of the last assistant message into markdown can capture sensitive prompts, secrets, personal data, or security-relevant instructions and make them available to later sessions or local attackers with filesystem access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal