ClawHub

infinite memory locall rag system for

Security checks across malware telemetry and agentic risk

Overview

This is a real local memory tool, but it exposes persistent memory through an unauthenticated network service and encourages automatic retrieval of sensitive stored data.

Install only after review. Run it on a trusted machine, bind the sidecar to 127.0.0.1 or add authentication, avoid storing passwords, API keys, personal data, or regulated content, do not use the absolute-ground-truth auto-integration prompt as written, and pin/review dependencies before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (26)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares only local command tools in SKILL.md, but the referenced components indicate network-capable behavior such as HTTP service exposure and calls to external or local OpenAI-compatible model endpoints. Undeclared network capability is dangerous because it prevents accurate user consent and review, and can enable unexpected data exfiltration or remote interaction through a skill that appears to be only a local memory utility.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The manifest describes a simple high-precision memory skill, but the referenced codebase appears to implement a persistent memory service, HTTP endpoints, vector and lexical indexing, and LLM-powered processing with parallel workers. This mismatch is security-relevant because users and reviewers may authorize the skill under a narrow mental model while it actually exposes a much larger attack surface, including persistent storage, service exposure, and transmission of ingested content to model backends.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill advertises memory recall/search behavior, but it also exposes an unauthenticated ingestion endpoint that allows callers to write arbitrary content into the backing memory store. This expands the trust boundary and can enable memory poisoning, persistence of attacker-controlled data, and unexpected storage of sensitive information contrary to user expectations.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document instructs the agent to treat `recall_facts` output as 'absolute ground truth' via a direct-return bypass, despite memory retrieval being inherently fallible and potentially stale, poisoned, or contextually wrong. This can cause the agent to present unverified recalled content as fact, amplifying misinformation and enabling memory-poisoning or prompt-injection effects from previously stored data.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The guide explicitly tells the agent to use memory for 'secret codes,' which normalizes retrieval of highly sensitive secrets from long-term storage without any access-control, purpose-limitation, or user-verification safeguard. In practice, this can facilitate secret exfiltration from prior conversations or stored project data when triggered by a user prompt or social engineering attempt.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The usage examples are overly broad and encourage activation for arbitrary prompts such as searching for highly sensitive information like a 'mainframe password.' In a memory skill that can store and retrieve prior user data, unclear activation boundaries increase the chance of inappropriate retrieval, over-collection, or use in contexts the user did not intend.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The installation and usage guidance presents storage and retrieval features without warning users that the skill may retain and surface sensitive data across sessions. In this context, a '100% recall' memory tool is inherently higher risk because it is explicitly designed to persist and retrieve exact text, making accidental capture or disclosure of secrets, personal data, or internal documents more dangerous.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The extraction worker sends the user's query and chunks of retrieved context to an LLM endpoint, which can expose sensitive memory contents outside the local retrieval layer. Even though the configured endpoint is localhost LM Studio, this still crosses a trust boundary and can leak private data to logs, plugins, upstream providers, or a differently configured endpoint without any user consent or disclosure.

Missing User Warnings

High
Confidence
97% confidence
Finding
The final LLM call transmits up to 3000 characters of raw private database context along with the user's query, materially increasing the chance of sensitive data disclosure. In a memory skill, the retrieved corpus is likely to contain personal, confidential, or security-relevant information, so sending it wholesale to a model is more dangerous than ordinary chat context handling.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The ingestion endpoint stores arbitrary user-provided text into persistent memory without any disclosure, consent flow, or apparent safeguards. In a memory skill, this is particularly risky because users may assume queries are transient while the service can retain sensitive or regulated data indefinitely, increasing privacy and compliance exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions make memory access automatic for prior conversations and project data without requiring user notice, consent, or contextual disclosure. This reduces transparency and can lead to privacy violations, unexpected cross-session data use, and unsafe reliance on stored information the user did not expect to be consulted.

Ssd 3

High
Confidence
95% confidence
Finding
The system prompt explicitly instructs the model to return exact private database contents and to avoid refusal or disclaimers, which weakens privacy safeguards and encourages unredacted disclosure. In a memory-recall skill, this creates a direct path for sensitive stored information to be revealed to any caller who can trigger retrieval successfully.

Ssd 3

High
Confidence
96% confidence
Finding
The design comment explicitly states an intent to bypass safety-refusal behavior by directly returning extracted facts without a final safety-aware model pass. That is a strong red flag because it shows deliberate removal of a protective layer, making exfiltration of sensitive retrieved data easier and more reliable.

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastapi
uvicorn
pydantic
chromadb
Confidence
98% confidence
Finding
fastapi

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastapi
uvicorn
pydantic
chromadb
axios
Confidence
98% confidence
Finding
uvicorn

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastapi
uvicorn
pydantic
chromadb
axios
requests
Confidence
97% confidence
Finding
pydantic

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastapi
uvicorn
pydantic
chromadb
axios
requests
rank_bm25
Confidence
94% confidence
Finding
chromadb

Unpinned Dependencies

Low
Category
Supply Chain
Content
pydantic
chromadb
axios
requests
rank_bm25
pynvml
aiohttp
Confidence
98% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
chromadb
axios
requests
rank_bm25
pynvml
aiohttp
Confidence
92% confidence
Finding
rank_bm25

Unpinned Dependencies

Low
Category
Supply Chain
Content
axios
requests
rank_bm25
pynvml
aiohttp
Confidence
88% confidence
Finding
pynvml

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
rank_bm25
pynvml
aiohttp
Confidence
98% confidence
Finding
aiohttp

Known Vulnerable Dependency: fastapi — 3 advisory(ies): CVE-2021-32677 (Cross-Site Request Forgery (CSRF) in FastAPI); CVE-2021-32677 (FastAPI is a web framework for building APIs with Python 3.6+ based on standard ); CVE-2024-24762 (FastAPI is a web framework for building APIs with Python 3.8+ based on standard )

High
Category
Supply Chain
Confidence
95% confidence
Finding
fastapi

Known Vulnerable Dependency: uvicorn — 4 advisory(ies): CVE-2020-7694 (Log injection in uvicorn); CVE-2020-7695 (HTTP response splitting in uvicorn); CVE-2020-7694 (This affects all versions of package uvicorn. The request logger provided by the) +1 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
uvicorn

Known Vulnerable Dependency: pydantic — 3 advisory(ies): CVE-2021-29510 (Use of "infinity" as an input to datetime and date fields causes infinite loop i); CVE-2024-3772 (Pydantic regular expression denial of service); CVE-2021-29510 (Pydantic is a data validation and settings management using Python type hinting.)

High
Category
Supply Chain
Confidence
94% confidence
Finding
pydantic

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
96% confidence
Finding
requests

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal