ClawHub

Bulletproof Memory 1.0.0

Security checks across malware telemetry and agentic risk

Overview

This is a clear memory-management skill, but it asks agents to automatically save and reread user details and local memory files without enough consent, scoping, or deletion controls.

Install only if you intentionally want persistent local agent memory. Before use, narrow the copied rules to specific projects, require consent before storing personal or confidential details, exclude credentials and sensitive categories, and define how SESSION-STATE.md and daily notes can be reviewed, edited, and deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The WAL trigger is intentionally broad: any 'concrete detail' causes an immediate write before responding. In practice this can capture incidental or sensitive user data without relevance filtering, causing unintended persistence and making later leakage or over-retention more likely. The skill context increases risk because the behavior is framed as mandatory and automatic rather than user-consented or task-scoped.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The recovery protocol uses ambiguous auto-triggers such as 'you should know something but don't' and generic phrases like 'continue,' which can cause unnecessary reads of persisted memory. That creates a risk of silently pulling prior-session data into the current interaction, including data the user did not expect to be accessed or resurfaced. The skill context makes this more dangerous because it instructs the agent to recover autonomously rather than confirm with the user.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill directs automatic reads and writes of persistent memory files as a default operating model, but provides no notice, consent flow, retention policy, or sensitivity boundaries. This can result in covert storage of personal or confidential information and unexpected access to existing local files. In a memory-management skill, the context makes the issue more serious because persistent data handling is the core behavior, not an incidental edge case.

Missing User Warnings

High
Confidence
97% confidence
Finding
The startup sequence instructs the agent to read SESSION-STATE.md, identity files, and memory notes 'before doing anything else' and explicitly says 'Don't ask permission.' This normalizes silent file access and can expose unrelated sensitive data from prior sessions or identity documents without contextual need or user awareness. The surrounding skill context amplifies danger because the reads are mandatory and recurring every session.

Ssd 3

Medium
Confidence
93% confidence
Finding
Automatically persisting user-provided details before responding creates a direct data retention risk: names, locations, corrections, and other facts may be stored even when unnecessary. Because the trigger is based on natural language rather than typed fields or consent gates, sensitive information can be captured opportunistically and later leaked through summaries, recovery, or file access. The skill context makes this more dangerous because it treats the behavior as 'non-negotiable.'

Ssd 3

Medium
Confidence
91% confidence
Finding
The startup and recovery instructions tell the agent to automatically read identity and memory files without asking permission, which can surface previously stored sensitive information into a new context. Even if intended for continuity, this is a semantic privacy risk because the natural-language instructions do not constrain scope, relevance, or data categories. The skill context increases risk by embedding this as routine autonomous behavior.

Ssd 3

Medium
Confidence
88% confidence
Finding
The memory flush protocol instructs the agent to 'write everything important' and produce 'comprehensive handoff' notes as context pressure rises. Under stress or ambiguity, that broad instruction can lead to over-collection of sensitive data, including personal details, decisions, and open threads that exceed what is needed for task continuity. The context makes this riskier because flushes are triggered automatically and become more aggressive near compaction.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal