ClawHub

.Backup Global Cognitive Brain 20260316 100703

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local persistent-memory skill, but it broadly records and reuses conversation data across sessions without clear user controls.

Install only if you intentionally want a global memory layer that can remember conversation contents across sessions. Avoid using it for secrets, credentials, private client data, or unrelated projects unless you first confirm where the memory files are stored and have a reliable way to inspect, disable, and delete them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The file defines persistent memory paths for working, episodic, semantic, and meta memory and later uses them to store user inputs across runs. In an agent skill, retaining cross-session dialogue and inferred knowledge without clear purpose limitation, consent, retention controls, or access boundaries creates a real privacy and data-governance risk.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This code acts as a broker/router that classifies user requests and directs them into multiple operational domains such as GitHub, SQL, search, frontend, weather, and security tooling. That broad dispatch behavior increases attack surface and the chance of misrouting sensitive prompts into more privileged downstream skills, especially because routing is based on simple keyword heuristics rather than strict authorization or task scoping.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill advertises automatic recording of all inputs and cross-session retention without any clear consent, minimization, retention, or sensitivity controls. In a conversational agent, this can capture credentials, personal data, business secrets, and other sensitive content, then retain it beyond the user's expectation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Automatically reinjecting prior conversation memory into future prompts without warning can cause sensitive historical data to be resurfaced in later model calls. Users may not realize that earlier inputs will continue to influence or be exposed in future interactions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation says corrupted JSON files may be deleted and rebuilt, but it does not warn users that memory contents may be permanently lost. In a persistent-memory skill, silent destructive recovery can erase important records and undermine trust and auditability.

Vague Triggers

Medium
Confidence
84% confidence
Finding
This file stores many generic user prompts such as 'Create a new GitHub issue', 'I need to review a pull request', and 'Check my system for security vulnerabilities'. If this JSON is used as memory, routing examples, or trigger-matching data, these broad phrases can cause unintended tool activation, prompt selection, or behavior steering from ordinary user input, increasing the risk of overbroad invocation and context confusion.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Raw user messages are appended to persistent working memory and saved to disk with no visible notice, consent, or disclosure mechanism. This is dangerous because users may provide secrets or personal data assuming ephemeral handling, while the skill silently retains that data for future use.

Ssd 3

High
Confidence
98% confidence
Finding
Persisting all user inputs and carrying memory across sessions creates a direct data leakage risk: sensitive information from one interaction can later be exposed in unrelated prompts, responses, or summaries. In an agent skill specifically designed to accumulate and reuse conversational data, the context makes this more dangerous because leakage is a core behavior rather than an edge case.

Ssd 3

High
Confidence
98% confidence
Finding
The documented automatic context injection mechanism can expose prior user-provided data in future model interactions, including to downstream tools or external APIs if the prompt is forwarded. Because this skill's purpose is to inject accumulated memory into each prompt, the surrounding context substantially increases the likelihood of cross-conversation disclosure.

Ssd 3

Medium
Confidence
94% confidence
Finding
Recording both user input and model output for every message establishes a standing conversation log that may include personal data, secrets, proprietary information, and unsafe outputs. If later accessed, reused, or leaked, this expands the blast radius beyond the original interaction.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill persistently stores raw dialogue and later uses memory retrieval in its reasoning and outputs. Because stored messages may contain credentials, personal data, or confidential instructions, this creates a concrete cross-run data leakage path where one interaction can influence and disclose information in later responses.

Ssd 3

Medium
Confidence
94% confidence
Finding
Episodic memory stores free-form summaries and details persistently, which can capture sensitive information in unstructured text that is hard to sanitize later. Since retrieval functions search and reuse these events, sensitive details can resurface unexpectedly in subsequent interactions or outputs.

Ssd 3

Medium
Confidence
98% confidence
Finding
The response builder directly emits recalled semantic-memory facts into the generated response without checking provenance, sensitivity, or user/session boundaries. That makes previously stored information trivially exfiltrable through normal conversation, turning memory into an output-side data leak.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal