ClawHub

Elite Longterm Memory

Security checks across malware telemetry and agentic risk

Overview

The main memory feature appears usable and mostly local by default, but the package includes under-disclosed remote API and shell-download code paths that do not fit its local/no-external-API claims.

Review or remove the unused Kimi and ONNX embedding helpers before installing in sensitive environments. Treat stored memories as durable local records, avoid storing secrets, and disable autoRecall if automatic injection of prior memories into future prompts is not wanted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill manifest declares no required permissions, but the documentation clearly instructs use of shell commands and an HTTP-accessible local Ollama service. This mismatch can mislead operators and security controls about the skill's actual capabilities, weakening review and sandboxing decisions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as pure-JavaScript and requiring no external APIs, but the documentation depends on Ollama over HTTP and the static finding indicates additional undeclared behavior such as remote embedding and automatic context injection. Security-relevant behavior that is hidden or inaccurately described prevents informed consent and can expose sensitive conversation data to unintended services or automatic persistence flows.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
Claiming 'Pure JS embedding' and 'no external APIs required' while requiring Ollama via a localhost HTTP service is materially misleading. Even if localhost is not a third-party API, it is still an external service dependency with its own trust boundary, availability, and exposure risks.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The feature list advertises zero external dependencies, but the setup instructions require Ollama. This discrepancy increases the chance that users deploy the skill under incorrect assumptions about its attack surface, network behavior, and runtime requirements.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The architecture section identifies Ollama as the embedding layer, contradicting the manifest's claim of pure JavaScript embeddings with no external APIs. In security reviews, inconsistent architecture documentation is risky because reviewers may miss local service exposure and data handling paths.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file contradicts the skill's advertised local/offline behavior by integrating a remote Kimi API and relying on environment-sourced API credentials. In a memory skill, this can silently exfiltrate user content and operational secrets to a third party, making the mismatch itself security-relevant because users and operators may deploy it under false assumptions about data locality.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The component reads API keys from environment variables and sends arbitrary user text to an external endpoint for embedding generation. For a long-term memory skill, the text may contain sensitive prompts, personal data, or confidential workspace content, so this creates a meaningful confidentiality risk, especially because the skill is presented as local and no-external-API.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The header explicitly states 'No local models required' while the skill metadata claims a local system with no external APIs required. This kind of misleading documentation weakens informed consent and can cause operators to deploy the skill in sensitive environments where outbound transmission would be unacceptable.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The module is described as 'pure local' and requiring 'no external services', but it performs network downloads from a remote host at runtime. This is a real security and transparency issue because users may deploy it in restricted or sensitive environments expecting zero network access, and remote model retrieval also introduces supply-chain risk.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The code invokes shell commands via execSync to run curl for downloading model assets, which is dangerous because it couples network access with shell execution and trusts external content without integrity checks. Even though the interpolated values are mostly internally derived, using the shell increases attack surface and the downloaded model files could be malicious or tampered with.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The code comments and control flow suggest downloads occur only when the local model is absent, but the fallback path using @xenova/transformers may independently fetch remote artifacts. This makes network behavior less predictable and can bypass operator expectations or policy controls in offline or restricted environments.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly demonstrates storing user preferences in long-term memory without any warning about persistence, consent, retention, or sensitivity. In a memory skill, this increases the risk that personal data will be collected and retained indefinitely, leading to privacy leakage, over-collection, or misuse if the memory store is accessed by other components or users.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs automatic writes of user preferences, decisions, deadlines, and corrections into persistent memory files without explicit consent or warning guidance. This creates a privacy and data-minimization risk because sensitive personal or confidential information may be stored by default and retained across sessions.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The forget command permanently deletes a memory automatically when a single high-scoring match is found, without explicit user confirmation or a dry-run safeguard. In a memory-management skill, this can cause unintended destruction of user data due to ambiguous semantic matches, embedding errors, or adversarially crafted queries, reducing integrity and recoverability of stored information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The plugin automatically retrieves stored memories and prepends their raw text into the agent prompt without sanitization, user confirmation, or trust separation. If memory contents include sensitive data or adversarial instructions previously stored via memory_store, they can influence future model behavior or leak private information across interactions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code forwards user-provided text directly to a remote Kimi chat completion endpoint without any visible disclosure, warning, or consent mechanism. In the context of a memory system, the content sent upstream may include highly sensitive conversation history, making undisclosed transmission more dangerous than in a clearly cloud-based skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill performs network access and writes files into the user's cache directory without an explicit warning or consent mechanism. In agent environments, undisclosed egress and local persistence are meaningful security concerns because they can violate operator assumptions, data-handling policies, or sandbox expectations.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
Claiming 'no external services' while contacting an external host is a genuine security-relevant misrepresentation. While the issue is primarily about transparency rather than direct code execution, it can mislead users into deploying the skill in contexts where network access is prohibited or sensitive.

Ssd 3

Medium
Confidence
97% confidence
Finding
The natural-language operating instructions direct the agent to persist user-provided details and decisions across session and long-term memory stores by default. In the context of an agent memory skill, this is especially dangerous because it normalizes broad retention of potentially sensitive information and increases the blast radius of prompt leakage, cross-session exposure, and unauthorized data reuse.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal