ClawHub

Agent Memory Keeper

Security checks across malware telemetry and agentic risk

Overview

This is a local memory helper, but it tells agents to automatically preserve personal and project details without clear consent, sensitivity limits, or deletion controls.

Install only if you are comfortable with the agent writing long-term local notes about you and your projects. Before use, set explicit rules not to store secrets, credentials, health, financial, legal, or other sensitive personal information, and periodically inspect and delete MEMORY.md, USER.md, and the memory directory as needed.

Publisher note

解决AI Agent每次会话失忆问题。自动复盘对话→提炼关键信息→存入长期记忆→下次会话自动加载。让Agent记住用户偏好、项目进展、技术决策、重要信息,不再说"我不记得了"。

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are very broad and overlap with ordinary conversation, so the skill may activate unintentionally during normal user messages. In a memory-writing skill, accidental activation can cause unexpected persistence of sensitive conversation details or excessive background processing without clear consent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill explicitly promotes storing user preferences, project progress, feedback, and other conversation-derived data in persistent files, but it does not provide a clear warning about sensitive data retention. This is dangerous because users may disclose personal, confidential, or proprietary information without understanding it will be saved across sessions in long-term memory files.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The rules explicitly direct the agent to persist personal data such as user names, preferences, boundaries, criticism, and feedback into long-term memory without any consent, minimization, retention, or sensitivity controls. In a memory-keeping skill, this is more dangerous than generic note-taking because it normalizes ongoing collection of user profile data across sessions, increasing privacy, surveillance, and unintended disclosure risks.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal