ClawHub

Zouroboros Memory

Security checks across malware telemetry and agentic risk

Overview

This is a coherent persistent-memory skill with optional model integrations, but users should understand that stored memory can persist locally and may be sent to configured model endpoints when advanced features are enabled.

Install only if you want a persistent local memory database for agents. Review the database path, avoid storing secrets unless you intend them to persist, and enable Ollama/OpenAI features only when you are comfortable sending memory text and queries to those configured endpoints. Be careful with delete and prune commands because they can remove stored records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises capabilities that imply environment and network access through Node.js/npm installation, npx execution, localhost HTTP embedding configuration, and an MCP server, but it does not declare permissions or warn users about those capabilities. This creates a transparency and consent problem: users may install or run the skill without understanding that it can access local runtime context and communicate over the network, increasing the risk of unintended data exposure or policy bypass.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The package is presented as persistent memory, but this code adds outbound model calls for reranking and inference. That means user queries and stored memory content can be transmitted off-host, which expands the trust boundary and creates privacy and compliance risk if operators expect a local-only memory component.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code reads OpenAI API credentials from environment variables and uses them to send prompts to an external service, a capability not obvious from a memory skill description. In an agent environment, this can surprise operators and enable unintended exfiltration of sensitive memory data to a third party.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The package presents itself as a persistent memory system, but portions of stored or queried memory can be sent to external LLM providers for reranking and HyDE-style expansion. In a memory skill, this matters because users may reasonably expect local storage/retrieval semantics, while query text and memory snippets can leave the host boundary and reach OpenAI or Ollama endpoints.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill is centered on persistent memory and explicitly documents storage, search, deletion, pruning, and use of a long-lived database path, but it provides no warning that data is retained across sessions or that delete/prune operations are destructive. In an agent-memory context, this is especially sensitive because users may store personal, operational, or confidential information without realizing it persists on disk and may later be retrieved, modified, or removed.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
User-provided text is transmitted to the configured Ollama endpoint for embedding generation, and this file shows no consent, disclosure, or locality enforcement around that transfer. In a memory skill, prompts and stored memories can contain sensitive personal or operational data, so silent transmission to a remote or misconfigured endpoint creates a privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill sends raw user queries to the Ollama generation endpoint to produce hypothetical answers, again without any visible warning or consent mechanism in this code path. Because generation can involve especially sensitive user questions and the feature is not core to basic persistence, this expands privacy exposure beyond embeddings and increases the chance of unintended data disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The OpenAI request includes user prompt content and potentially memory-derived text without any user-facing disclosure in the execution path. In a memory system, prompts may contain sensitive personal, operational, or proprietary data, so silent remote transmission raises material privacy and data-governance concerns.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code reads API secrets from environment variables and uses them to transmit prompts to OpenAI without any user-facing disclosure or consent mechanism. Because prompts may include sensitive memory content, this creates a data exfiltration risk that users of a 'memory' skill may not anticipate.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Ollama request sends prompt data to a configurable HTTP endpoint, potentially off-host if OLLAMA_URL is changed, with no user-facing disclosure. In this skill context, the prompt can contain memory search content or reranking passages, so sensitive stored data may be transmitted outside the expected trust boundary.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code sends prompt and system content to OpenAI without any evidence in this component of consent, minimization, or disclosure controls. In a persistent-memory skill, prompts may contain sensitive stored memories, making external transmission materially riskier than in a generic chat client.

Missing User Warnings

Low
Confidence
72% confidence
Finding
The Ollama request also transmits prompt content to another service endpoint without disclosure controls in this code. Although the default target is localhost, the URL is configurable via environment variable, so deployments could silently send memory content to a remote or shared host.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal