ClawHub

Memory Master

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate local-memory purpose, but it also rewrites persistent agent control files and adds broad automatic behaviors that users should review before installing.

Install only after reviewing the templates and init behavior. Expect AGENTS.md, MEMORY.md, and HEARTBEAT.md to be changed, and consider running it first in a disposable workspace. Disable or edit the automatic web-learning and heartbeat sections if you do not want searches, email/calendar/social checks, or repository actions triggered by persistent agent instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (41)

Lp3

Medium
Category
MCP Least Privilege
Confidence
74% confidence
Finding
The skill declares itself as requiring no special capabilities, yet the documented installation and runtime behavior clearly assumes access to workspace files, environment-dependent paths, and local execution context. Missing or inaccurate capability disclosure prevents informed review and safe sandboxing, which can lead users to grant trust to a skill that performs broader file and environment interactions than expected.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a local memory helper, but its documented initialization rewrites AGENTS.md, creates or overwrites HEARTBEAT.md, transforms MEMORY.md, and performs broader workspace restructuring. This mismatch is dangerous because users may consent to a memory feature without realizing it alters core control files that govern agent behavior and persistence.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The README makes a strong privacy/security claim that the system is '100% Local' and that nothing leaves the machine, while elsewhere describing automatic web searching for learning. That contradiction can mislead users into enabling the skill under false assumptions, causing unintended outbound network access and possible disclosure of prompts, memory contents, or task context.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The documentation is internally inconsistent about whether the skill is purely local or performs automatic web searches. In a security-sensitive agent skill, such contradictions are dangerous because users and downstream systems may rely on inaccurate trust boundaries when deciding what information can be processed.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The README instructs users or agents to run a local Node.js script after every response, creating repeated code-execution behavior not clearly justified by the core memory feature set. Any mandatory per-response script execution expands the attack surface, can introduce hidden side effects, and may be abused for persistence, telemetry, or unauthorized file/network operations.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill presents itself as a local memory system, but its documented behavior includes automatic web search and network learning. That mismatch can mislead users and downstream agents into granting broader trust and permissions than expected, increasing the risk of unintended data flow or unsafe autonomy.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
A memory skill is expected to manage memory files, but this one also migrates and rewrites AGENTS.md, MEMORY.md, and HEARTBEAT.md. Expanding from storage into broad policy-file modification is dangerous because it can alter agent behavior, persistence, and control surfaces beyond the user's likely expectations.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The documentation claims full visibility, edit, and delete authority over all files, which is far broader than necessary for a memory subsystem. Excessive authority greatly increases blast radius if the skill is triggered accidentally, misused by another agent, or paired with unsafe prompts.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file says the system is '100% local' while also stating that it performs automatic web search and writes learned content locally. This contradiction is dangerous because users may rely on a false privacy guarantee and unknowingly permit network activity or storage of externally sourced content.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Requiring a Node.js script to run after every response adds continuous executable behavior not clearly justified by the core memory function. Any always-run post-response hook increases attack surface, can normalize unsafe execution habits, and may be abused if the script or its path is modified.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documentation claims there are no automatic network calls, but the workflow later instructs the agent to automatically search the web when local knowledge is insufficient. This contradiction can cause unexpected outbound data exposure through search queries, especially if user context or sensitive project details are included in those searches.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The Requirements section states there are no external APIs or dependencies, but the documented knowledge-learning flow relies on web searching. Even if it uses a generic browser/search engine instead of a formal API, it still creates external network dependency and data egress risk that the user was told did not exist.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The Security section says the user explicitly authorizes web searches before network activity, yet the earlier workflow mandates automatic web learning when knowledge is missing. This inconsistency undermines user consent and can result in network actions being taken under ambiguous or implied authorization.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Initialization modifies AGENTS.md, MEMORY.md, and HEARTBEAT.md, which are foundational workspace control files and not merely memory storage. Changing these files can alter agent behavior, persistence, and task execution in ways the user may not expect from a memory skill, increasing the blast radius of installation.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest markets the skill as a local memory system, but the documented functionality includes web-search-based learning. This is a material scope expansion because a local-only tool has very different trust and privacy expectations than a tool that may send data to external services.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The init script modifies broad workspace control files such as AGENTS.md, MEMORY.md, and HEARTBEAT.md rather than confining itself to a skill-specific data directory. In an agent ecosystem, AGENTS.md can influence future agent behavior, so silently replacing it with a template is a privilege-expanding side effect that can alter system policy well beyond memory initialization.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script creates or updates HEARTBEAT.md and migrates heartbeat content from AGENTS.md, introducing task/configuration behavior unrelated to a local memory subsystem's stated purpose. That cross-domain capability is dangerous because it can establish persistent operational instructions or scheduled behavior under the guise of setup, increasing the chance of hidden agent control or policy drift.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The template expands a local-memory skill into broad proactive monitoring and operational behavior, including checking email, calendar, social media, weather, and doing repository work. This creates capability creep and can cause the agent to access unrelated sensitive data or take actions outside user expectations, especially because the instructions are framed as routine heartbeat behavior rather than explicitly consented tasks.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
In a skill described as a local memory system, instructing the agent to check external communications/services is unjustified access expansion. Even if no exploit code is present, normalizing these actions in a heartbeat template can lead to unauthorized review of sensitive inbox/calendar/social data and violates least-privilege expectations for the skill.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The document explicitly instructs the agent to perform '网络学习' when local knowledge is insufficient, which expands the skill from local memory management into outbound network access and data ingestion. This is dangerous because it can transmit user context externally and import untrusted content into the local knowledge base without clear authorization or trust boundaries.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill includes broad instructions for delegating user tasks to sub-agents and choosing execution modes, which is outside the stated memory-system purpose. This increases the effective authority of the skill and can cause the host agent to perform additional actions under the cover of a memory feature, weakening least-privilege assumptions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatic web searching is described without a prominent warning that the feature may trigger network activity and transmit contextual information. Users may reasonably believe the skill is local-only and therefore expose sensitive prompts or memory-derived queries to external services without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises automatic recording of discussions, decisions, and action items without a sufficiently prominent warning that user content will be persisted to local files. This can lead to unintentional retention of secrets, personal data, or sensitive business context beyond the immediate session.

Vague Triggers

High
Confidence
90% confidence
Finding
The trigger keywords are extremely broad and overlap with ordinary conversation, making accidental activation likely. In a skill that can write memory, read prior content, and perform network learning, vague triggers materially increase the chance of unauthorized persistence, recall, or external requests.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The heuristic recall rules rely on subjective conditions like 'you feel uncertain,' which creates ambiguous activation boundaries. Ambiguous autonomy is risky here because it can cause unnecessary reading of stored material and expose prior sensitive context without clear user authorization.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal