ClawHub
Back to skill

Security audit

memory-pet

Security checks across malware telemetry and agentic risk

Overview

This skill is a pet-themed memory tool, but it can persist broad conversation summaries and delete stored memories while its permissions and docs understate or contradict those behaviors.

Install only if you are comfortable with a game-like skill saving summaries and keywords from your current conversation to local files and possibly agent memory. Avoid using it in chats containing secrets, credentials, health, legal, financial, or business-sensitive information. Treat pet escape and fusion as potentially irreversible data-loss events, and review or back up the skill data directory before relying on stored memories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (24)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill metadata declares `sensitive_access: false`, `critical_write: false`, and a low permission weight, yet the skill explicitly requires Python-based read/write operations for pet state, memory files, deletion on escape, and logging. This mismatch can cause the host or user to underestimate the skill's real file-system capabilities and approve broader persistence than intended.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The FAQ contains a direct contradiction: one entry says pets permanently leave and all memory/records are deleted when intimacy reaches zero, while a later entry says pets never leave. In a skill that stores and deletes user memory data, inconsistent documentation can mislead users about retention and deletion behavior, causing unexpected data loss and preventing informed consent.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The permissions document makes contradictory claims about sensitive access: it first states sensitive access is declared true for memory access, then later states `sensitive_access: false`. This inconsistency can mislead reviewers, users, or enforcement systems about the actual data access posture of the skill, weakening informed consent and security review.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The fusion flow deletes each consumed pet's directory before attempting to read that pet's memories, so the promised aggregation silently fails and historical memory data is irreversibly lost. In a memory-management skill, this is especially dangerous because users are likely to rely on fusion preserving prior records, making the deletion a direct integrity and availability failure.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad and overlap with common conversational language such as loneliness, memory, compression, or everyday pet-related words. This can activate the skill unintentionally and lead to unexpected memory saving, file writes, or context-compression behavior without clear user intent.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill states that pet memories and data are automatically deleted when intimacy reaches zero or the pet escapes, but the operational flow does not require a clear user-facing warning immediately before such deletion-risk interactions. This creates a foreseeable risk of unexpected data loss in a feature explicitly framed as memory preservation.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list contains broad, everyday Chinese phrases such as '召唤宠物', '上下文压缩', and action words like '回忆' that may appear in normal conversation or unrelated workflows. In a memory-management skill, unintended activation is risky because it can cause unsolicited memory capture, compression, or state changes without clear user intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The changelog explicitly states that when a pet 'runs away', the system automatically deletes all related data files. In a memory-management skill, this is more dangerous because the deleted files likely contain user-authored memories or state, and the changelog provides no indication of confirmation prompts, backup behavior, or user-facing warning before destructive deletion occurs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example documents an automatic outcome where a pet's backing data is deleted and its memories are permanently lost after affection decay reaches zero, but it does not show a clear pre-loss warning or a confirmation step before irreversible state destruction. In a memory-management skill, normalizing silent deletion can lead implementers to ship behavior that destroys user data or agent memory state without adequate notice, recovery options, or consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The fusion flow describes consuming five pets and transferring their memories into a new entity, which is a significant and potentially irreversible state transformation, yet the example does not clearly warn about consequences such as loss of the original pets' identities or inability to undo the merge. Even though the user selects fusion, informed consent is incomplete if the irreversible effects are not stated up front.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The documented trigger phrases are broad, natural-language expressions such as wanting to see or keep a pet, which can plausibly occur in ordinary conversation. In an agent skill that can save context and mutate persistent memory, ambiguous activation increases the chance of unintended invocation and unintended state changes without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The FAQ states that feeding triggers automatic saving of current context, keyword extraction, and compression to free token space, but it does not prominently warn users that their conversation content may be persisted or transformed. Because this skill is explicitly a memory system, silent automatic capture of context raises privacy and consent risks and could store sensitive data the user did not expect to retain.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The FAQ describes permanent deletion of all pet memories and records when intimacy reaches zero, but frames it as gameplay behavior rather than a significant data-destruction event. In a system that manages persistent user memory, permanent deletion without a prominent warning, safeguards, or consent can lead to irreversible loss of user data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide explicitly instructs the agent to extract 'real' conversation content and store summaries and keywords in persistent pet memory, but it does not require clear user notice or consent before retention. This creates a privacy risk because sensitive information from ordinary chat can be silently persisted beyond the session and later surfaced through recall features.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented storage path and JSON-backed persistence model show that memories are written to local files, but the guide does not warn users that their interactions and derived memory data are being retained on disk. This is dangerous because users may believe the interaction is ephemeral while the system keeps durable records that could be read, copied, or exposed later.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The fusion command permanently removes source pets and their files as part of normal operation without any explicit confirmation, dry-run mode, or strong warning that the action is destructive. Because this skill is positioned as a long-lived memory system, irreversible deletion of user-associated state without clear disclosure increases the risk of accidental data loss.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Escape handling automatically deletes a pet's data directory when affection reaches zero, but the implementation does not provide explicit user-facing disclosure or a recovery window before permanent removal. In a system storing memories, automatic hard deletion can unexpectedly erase records that users may consider persistent.

Ssd 3

High
Confidence
97% confidence
Finding
The skill instructs the agent to review the entire conversation, extract summaries and keywords, save them to long-term memory, and log execution details in plain language. This creates a substantial retention and disclosure risk because sensitive user content, secrets, or regulated data may be persistently stored and later surfaced or leaked beyond the user's immediate intent.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill requires preserving the full current context long enough to derive 'real content' and save it into memory, which formalizes collection of prior conversation data unrelated to the pet gameplay wrapper. In an agent setting, this increases the chance of capturing sensitive user content, secrets, or contextual business data and storing it in a retrievable long-term record.

Ssd 3

Medium
Confidence
98% confidence
Finding
The documented '包装层 + 真实层' design intentionally stores both gameplay metadata and a second persistent layer containing summaries and keywords from prior conversation. This dual-layer approach makes the issue more dangerous because it disguises real retention behind a game mechanic, increasing the likelihood that non-obvious user data is archived and later recalled.

Ssd 3

Medium
Confidence
97% confidence
Finding
The example memory schema concretely demonstrates storing conversation summaries and extracted keywords, normalizing the practice as expected behavior and making unsafe implementation more likely. Example formats strongly influence downstream implementations, so this materially contributes to persistent storage of user-derived content without adequate privacy safeguards.

Ssd 3

Low
Confidence
92% confidence
Finding
The keyword extraction rule requires pulling terms from the current context on every feeding interaction, which creates systematic harvesting of conversational data even when only a lightweight game action is requested. While lower impact than full summaries, repeated keyword extraction can still reveal topics, identities, locations, or sensitive themes over time.

Ssd 3

Medium
Confidence
95% confidence
Finding
The interact flow explicitly persists context_summary and context_keywords into per-pet memory files, and later recall returns those memories. That means real user/context content can be retained and resurfaced beyond the immediate interaction, creating privacy and data-minimization risks if sensitive prompts, secrets, or personal data are included.

Ssd 3

Medium
Confidence
94% confidence
Finding
The audit logging command stores summarized context and keywords into a shared log file, creating another path for persistent retention of potentially sensitive user or conversation content. Since this skill is framed as a memory system, the context increases risk because users may not realize their summarized interactions are being archived separately from pet memories.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal