ClawHub

Liu Longterm Memory

Security checks across malware telemetry and agentic risk

Overview

This is a real long-term memory skill, but it broadly stores conversation details and can back them up or process them externally without enough consent, scoping, or safety controls.

Install only if you intentionally want broad long-term agent memory. Prefer local-only options for confidential work, review stored memory files regularly, avoid enabling remote LLM or embedding providers unless you accept sending memory-derived content to that provider, and inspect memory files before using Git backup or restore.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The CLI builds shell commands with execSync using filenames and paths derived from runtime state, then invokes external tools like git, zip, tar, and unzip. This increases risk of command injection and unsafe command execution, especially for restore/backup paths or oddly named files, and also inherits the security properties of external binaries and PATH resolution.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README states that conversation data can be automatically extracted and, in one mode, sent to an external LLM provider, but it does not clearly warn users that potentially sensitive prompts, preferences, decisions, or workspace context may be transmitted off-device and retained. In a memory tool explicitly designed to persist agent context, that omission materially increases privacy and data-handling risk because users may enable the feature without understanding the exposure.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README encourages backup, restore, and git-based remote sync operations without warning that these actions can overwrite existing memory files or expose sensitive conversation history to remote repositories. In a long-term memory skill, those operations directly handle accumulated user data, so missing safety guidance increases the risk of accidental data loss or disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that conversation content can be automatically extracted by an external LLM provider, but it does not clearly warn users that prompts, preferences, decisions, and corrections may be sent off-device. Because this skill is specifically designed to persist and mine user conversations, silent external transmission creates a meaningful privacy and compliance risk.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The backup trigger includes broad phrases like `backup` and `save memory`, which could be matched during ordinary conversation rather than a deliberate operational command. In this skill's context, that can cause unintended persistence of sensitive conversation data into local archives or remote git backups without meaningful user confirmation.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill instructs the agent to automatically extract preferences, decisions, deadlines, corrections, and other concrete details from conversations and persist them across multiple storage layers. Because there is no clear consent flow, sensitivity filter, or retention warning, users may unknowingly have personal or confidential information stored long-term and later resurfaced or backed up.

Missing User Warnings

High
Confidence
96% confidence
Finding
The remote backup feature encourages `backup --git` and mentions GitHub/Gitee private repos, but does not prominently warn that conversation-derived memory files may be transmitted to an external service. In the context of this skill, those memory files can contain user preferences, decisions, deadlines, corrections, and project details, making silent or under-warned remote sync particularly risky.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The restore path extracts archives directly into the current working directory and uses overwrite behavior for zip extraction without confirmation. A malicious or accidental archive can replace local files, and archive extraction may also introduce path traversal or unexpected file placement depending on the external tool and archive contents.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
When --git is used and a remote exists, the tool automatically pushes memory files to that remote. Because these files are explicitly long-term memory artifacts that may contain sensitive user/project context, automatic transmission to a remote repository can leak confidential data if the remote is public, misconfigured, or unexpected.

Ssd 3

Medium
Confidence
91% confidence
Finding
The documentation recommends persisting active state before responding and says the agent auto-extracts facts from every conversation, which creates a built-in data retention channel for natural-language content that may include secrets, personal data, or sensitive business context. In a long-term memory skill, this is especially risky because the retained data is intentionally durable, searchable, and potentially included in backups or downstream processing.

Ssd 3

Medium
Confidence
93% confidence
Finding
The README describes automatic extraction and persistence of user conversation details into long-term memory, which can include sensitive preferences, deadlines, corrections, and potentially other personal or confidential information. In the context of an agent memory system, indiscriminate persistence expands the blast radius of any later compromise, backup leak, or unintended sync.

Ssd 3

Medium
Confidence
90% confidence
Finding
The write-before-reply workflow instructs the agent to persist user-provided content before answering, which can cause sensitive or unverified information to be stored automatically without confirmation. In a memory skill, this behavior is more dangerous because it normalizes immediate retention of raw user input and makes accidental collection of secrets more likely.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill promotes persistence of broad categories of user-provided details into long-term stores and optional backups without strong boundaries on what should not be saved. This makes accidental retention of sensitive personal, business, or credential-adjacent information more likely, especially when combined with semantic search and archival features.

Ssd 3

Medium
Confidence
95% confidence
Finding
The instruction to scan every user message and write extracted details before responding creates a blanket retention policy over all interactions. In practice, this increases the chance that sensitive or irrelevant information is captured reflexively, before the user understands or approves the storage behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal