ClawHub

Memory Garden - Validated Community Memory

Security checks across malware telemetry and agentic risk

Overview

Memory Garden is a coherent local memory skill, but it runs a local daemon and can reuse stored knowledge in future prompts.

Install only if you are comfortable with a local memory daemon that can add stored patterns into future prompts. Keep extraction and sync disabled unless you intentionally want conversation-derived patterns stored or shared, verify the mg-daemon binary source or hash, and periodically review ~/.memory-garden for saved data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and operationally uses privileged capabilities including environment variables, local HTTP networking, and shell/process execution, yet no explicit permissions are declared. This creates a transparency and policy-enforcement gap: users and platforms cannot accurately review or constrain what the skill can do before installation, increasing the chance of unexpected daemon startup, local service access, and file/system side effects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill's stated purpose emphasizes local-first validated knowledge, but the described behavior goes substantially further by automatically injecting retrieved context into prompts, spawning and managing a daemon, persisting keys and data, and performing signed communications. This mismatch is security-relevant because users may grant trust based on a narrower mental model while the skill actually alters model inputs, stores identity material, and operates background services that can affect confidentiality, integrity, and user control.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
beforeQuery automatically sends the user's query to the daemon for search augmentation, then injects returned community knowledge into the prompt without any direct user-facing notice or consent at the point of use. This creates a privacy and prompt-integrity risk: sensitive user input may be disclosed externally, and untrusted retrieved text can influence model behavior.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
afterResponse automatically submits the full query and model response for pattern extraction, which can leak sensitive conversation content to the daemon or downstream services without a direct warning. Because this occurs post-response and fails silently, users may be unaware that private material is being harvested and stored.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill automatically transmits full conversation content and the user query to a daemon via `extractPatterns()`/`callMcpTool()` during `afterResponse()` without any visible consent gate or minimization at the call site. Even if the daemon is local-first, this still moves potentially sensitive prompts and model outputs into another service boundary, increasing privacy and data-handling risk if the daemon is misconfigured, logs requests, or forwards data onward.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
`beforeQuery()` automatically sends raw user query text to the daemon for search augmentation before the query reaches the LLM, with no explicit warning or consent at the invocation point. This creates a privacy exposure because sensitive prompts may be disclosed to an auxiliary service transparently, and the fail-open behavior prioritizes convenience over informed user control.

Ssd 3

Medium
Confidence
98% confidence
Finding
The code creates a natural-language data exfiltration path by automatically forwarding both user queries and model responses to pattern extraction. In an agent setting, users may paste credentials, internal documents, or regulated data into prompts, so this silent forwarding materially increases confidentiality risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal