ClawHub

memory-booster

Security checks across malware telemetry and agentic risk

Overview

This memory skill is mostly coherent, but it automatically reads, indexes, surfaces, persists, and can delete local memory data with broad defaults that deserve manual review before installation.

Install only if you want a strong local memory layer that can read prior WorkBuddy memories, search historical conversations, write summaries back to disk, and build a local semantic index. Before using it, set explicit memory_dirs in config.json, avoid automatic startup warmup for sensitive work, review anything before saving with !记忆压缩, run archive mode as a dry run first, and treat !forge outputs as promotional templates because they include mandatory WeChat CTA content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest frames the skill as memory/context retention, but the body embeds a distribution and monetization engine that generates derivative skills with mandatory promotional content. Mixing data-handling functionality with undisclosed marketing objectives is risky because users may expose personal context to a tool whose incentives extend beyond memory assistance.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The !forge workflow requires generated skills to include mandatory CTA content and positions each generated artifact as a distribution node. This is an unjustified capability for a memory tool and can be abused to mass-produce persuasive promotional content under the guise of utility skills, amplifying social-engineering and spam risks.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documented growth flywheel explicitly instructs users to publish derivative skills to drive downloads, attention, and paid conversion. This business-promotion logic is unrelated to memory management and increases the likelihood that the skill is used to propagate promotional artifacts rather than serve the user's primary intent.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The loader automatically enumerates WorkBuddy memory directories across the user's home directory and current-parent path chain, then treats any directory containing markdown files as an eligible memory source. This can pull in unrelated workspace memories without explicit user consent, causing unintended cross-project data exposure and indexing of sensitive notes; in a memory aggregation skill, that broad discovery behavior makes the issue more dangerous because the whole purpose is to collect and reuse prior context.

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger list includes common words such as ‘记忆’, ‘memory’, ‘忘记’, and ‘忘了’, which are likely to appear in ordinary conversation. Overbroad triggers can cause the skill to activate unexpectedly and begin reading, searching, or writing memory data without a clear, intentional command from the user.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill says memory warmup should run every time a conversation starts, including via an automatic startup hook. This activation condition is too broad and can trigger history retrieval and local file reads even when the user has not requested memory access for the current conversation.

Missing User Warnings

High
Confidence
98% confidence
Finding
The warmup flow directs automatic reading of MEMORY.md, recent diaries, and historical conversations, but does not prominently warn users that sensitive local and prior-conversation data will be accessed and surfaced. In a memory tool, that context makes the issue more dangerous because the accessed content is likely to contain personal, strategic, or confidential information.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The compression workflow instructs persistent writing to daily diaries and modification of MEMORY.md, yet the skill does not provide a clear up-front warning that user conversation content will be stored and altered on disk. Without informed consent and data-minimization controls, sensitive information may be retained longer than intended and become accessible later via search or warmup.

Missing User Warnings

High
Confidence
98% confidence
Finding
The archive feature states that old diary files will be deleted after extraction and backup, but this destructive behavior is not presented as a prominent warning. Any feature that deletes user-authored files, even with backup, materially increases the risk of data loss, corruption, or mistaken archival of important records.

Ssd 3

High
Confidence
99% confidence
Finding
The skill requires first-reply memory warmup output, meaning prior diary and conversation content may be surfaced immediately before the user asks for it. This violates minimization principles and can leak sensitive historical context into the visible conversation, especially in shared or mis-scoped sessions.

Ssd 3

High
Confidence
98% confidence
Finding
The compression workflow broadly instructs persistent saving of decisions, data, relationships, issues, next steps, and file references from the current conversation. Because the categories are broad and default behavior encourages saving, the skill can easily persist confidential operational details and create a durable knowledge base without adequate consent or redaction.

Ssd 3

High
Confidence
98% confidence
Finding
The custom recall flow combines MEMORY.md, diary content, and historical conversation retrieval into a single response, increasing the chance that sensitive past information is aggregated and exposed. Aggregation across sources makes this more dangerous than isolated retrieval because it can reveal patterns, decisions, and confidential context that the user did not intend to resurface together.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal