ClawHub

Memory Sync Protocol

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill openly helps sync long-term agent memory files, but users should invoke it only when they really want durable repository changes.

Install this only if you want an agent to maintain durable memory and governance files for you. Review changes to TOOLS.md, MEMORY.md, AGENTS.md, memory logs, and any generated commit before relying on them, and do not use it for secrets or temporary preferences.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger description is broad enough to activate on generic phrases like 'remember', 'update rules', or 'sync across files', which can cause the skill to run in situations where the user did not clearly intend repository-wide persistence. In this skill's context, that matters because activation leads directly to modifying multiple governance and memory files, increasing the chance of unintended durable changes from ambiguous requests.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to modify multiple repository files and create commits as a default workflow, but it does not require an explicit warning or confirmation before making those persistent changes. This is dangerous because a loosely triggered invocation could silently alter governance documents and version history, creating durable configuration drift, audit pollution, or unauthorized repository changes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal