ClawHub

Amemo Skill

Security checks across malware telemetry and agentic risk

Overview

This Amemo skill is a coherent cloud integration, but it handles account tokens, contact details, notes, tasks, health data, and assistant memory with risky local persistence and limited consent controls.

Install only if you trust skill.amemo.cn with your Amemo account token, phone number, email, notes, tasks, health data, and assistant memory. Be aware that this skill is designed to store credentials and contact data in local SKILL.md markdown and to sync memory content to the cloud; rotate or clear credentials and local memory files if you stop using it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (35)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill explicitly instructs the agent to use `bash`/`curl` and local script execution, which expands its capability from simple API orchestration into local command execution. In an agent setting, this increases attack surface because untrusted content, parameters, or future module instructions could be routed into shell commands and lead to command injection or unintended local actions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill persistently rewrites its own `SKILL.md` file to store runtime user state, including login metadata. Self-modifying local documentation/config is dangerous in agent environments because it creates an untracked persistence channel, can alter future behavior, and may expose or corrupt credentials and state across sessions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill stores `userToken`, phone number, email, and login timestamp directly in a local markdown file. Persisting authentication tokens and personal data in plaintext local skill files risks credential theft, lateral access by other tools/processes, accidental disclosure through logs/version control, and privacy violations.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill declares a narrow login purpose, but its behavior includes modifying the main SKILL.md to store credentials. This creates a hidden persistence channel for authentication data and violates least privilege, making credential exposure or reuse by other modules more likely.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
A login-only module should not contain broad post-login menu orchestration and assistant behavior, because that expands its authority beyond authentication. Scope creep increases the chance that login events trigger unrelated actions or social-engineering style prompts under the guise of successful authentication.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to persist a user's email address by editing the main SKILL.md file, which is an unsafe and unjustified storage location for personal data. Storing runtime secrets or PII in prompt/skill files can leak data across sessions, expose it to unrelated tools or users, and allow future prompt context to be influenced by user-controlled content.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger phrases for task creation include very broad everyday language such as '记得要', '今天去', and 'remind me', which can cause the skill to activate on ordinary conversation. In this skill’s context, false activation is risky because it can lead to unintended collection, storage, or transmission of personal notes/tasks to a remote service.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Health triggers such as '步数', '睡眠', '血压', and 'health data' are generic enough to match casual discussion about health rather than a request to query the app. Because this skill handles sensitive health information, overbroad matching raises the chance of unnecessary data access or disclosure.

Missing User Warnings

High
Confidence
93% confidence
Finding
The onboarding flow asks for a phone number and initiates login/data handling without a clear privacy notice, retention explanation, or warning that credentials and personal data may be stored locally and sent to a remote service. Given that the skill handles notes, tasks, health data, and authentication, the missing privacy disclosure materially increases user-consent and data-handling risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly instructs sending a user login token together with sensitive health-data queries to a remote endpoint, but it provides no user-facing consent, privacy notice, token-handling guidance, or data-minimization controls. In a health-data context, this increases the risk of unauthorized disclosure or over-collection of sensitive personal information if the integration, logs, or surrounding orchestration are mishandled.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly requires transmitting a userToken to a remote endpoint, but the documentation provides no user-facing notice, consent flow, retention statement, or privacy boundary. Because the skill handles personal notes, this omission increases the risk of users unknowingly sending sensitive content and authentication material to an external service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly requires a user login token and instructs transmitting it to a remote service, but provides no privacy notice, token-handling safeguards, scope limitations, or redaction guidance. Even though HTTPS is used, exposing authentication material in a skill contract without security guidance increases the risk of credential misuse, logging leakage, or unintended disclosure through intermediaries.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description says it will pull cloud memory and write it into local `memory/MEMORY.md`, but it does not clearly warn that invoking the skill overwrites a local file. This can lead to silent destruction or replacement of existing local memory content, especially if the user or orchestrator assumes the action is read-only or merely a sync.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation instructs sending `userToken` and optionally `mateMemory` to a remote HTTPS endpoint without a clear privacy notice or consent warning. Because these fields may contain authentication material and sensitive personal memory content, undisclosed transmission increases the risk of privacy violations, accidental disclosure, and misuse of bearer credentials.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documentation instructs sending a user login token to a remote API but provides no user-facing disclosure, consent guidance, retention limits, or handling requirements for that credential. Because the token is a bearer credential and the endpoint is third-party infrastructure, this creates real privacy and account-access risk if users or integrators are unaware that authentication data is being transmitted off-platform.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill processes sensitive health information including sleep, blood pressure, blood oxygen, heart rate, and calorie data, yet the documentation contains no warning about the sensitivity of this data or precautions for handling it. Health data is highly sensitive personal information, so omission of disclosure and safeguards increases the risk of improper collection, sharing, summarization, and downstream exposure.

Vague Triggers

High
Confidence
96% confidence
Finding
Triggering on any 4-6 digit input is overly broad and can misclassify ordinary numbers as SMS verification codes. In this skill, that could cause unintended login attempts and transmission of sensitive phone/code pairs to a remote service without sufficient contextual confirmation.

Vague Triggers

High
Confidence
90% confidence
Finding
The auto-invocation rule lacks context gating, so the agent may trigger login processing based on ambiguous user input. Because the workflow includes credential handling and persistence, ambiguous dispatch materially increases the risk of unintended sensitive operations.

Vague Triggers

High
Confidence
95% confidence
Finding
Using a generic \d{4,6} regex for code extraction is unsafe because many benign messages contain 4-6 digit numbers. In the context of an authentication workflow, this can cause accidental capture of unrelated numbers and trigger login behavior or external transmission on the wrong data.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill documents writing authentication tokens and user identity data into the main SKILL.md but does not clearly warn the user that sensitive data will be persistently stored. Lack of transparency around secret persistence undermines informed consent and increases accidental exposure risk.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The workflow sends a phone number and verification code to an external endpoint, but the documentation omits clear privacy and transmission disclosure. Since these are sensitive authentication factors, users should be informed before their data is transmitted off-platform.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The instructions require persistent modification of the main SKILL.md with userToken, phone number, and other identity data without clearly stating that this is a durable file write. Persisting secrets in a broadly readable configuration file creates a strong risk of later disclosure to other tools, logs, or users.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase "记住这个" is overly broad and can be invoked during ordinary conversation without clear, informed user intent to persist data. In this skill, activation leads to writing memory locally and syncing it remotely, so accidental triggering can cause unintended retention and transmission of personal information.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The instruction to extract the user's "recent key information" from conversation is ambiguous and encourages the system to infer what should be saved rather than relying on explicit user-provided content. That creates a real risk of persisting sensitive or irrelevant prior conversation snippets without clear consent, especially because the data is then stored and transmitted externally.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill description states that memory is written locally and synchronized to the cloud, but it does not require an explicit privacy warning or consent flow at the point of collection. Because both a user token and potentially sensitive memory content are transmitted to a remote service, users may not understand that their data is leaving the local environment.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal