ClawHub

Enhanced Memory System with 4 Types

Security checks across malware telemetry and agentic risk

Overview

This is a coherent memory skill, but it needs Review because its code can read or write outside the intended memory folder and uses shell execution with user-controlled text.

Install only after reviewing or patching the implementation. Constrain memory_get and memory_write to the configured memoryDir, replace shell-based curl with a native HTTP call, and avoid using it with sensitive personal, credential, regulated, or confidential team data until review, deletion, and consent controls are clear.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The path expansion logic permits '~', relative paths joined to the base directory, and fully absolute paths without enforcing that the final resolved path stays inside the configured memory directory. That means a caller can request files such as '/etc/passwd' or traverse outside the memory store, turning a memory-read helper into a general filesystem read primitive.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Allowing HOME-based expansion and arbitrary absolute path resolution is broader than needed for a scoped memory retrieval feature and weakens trust boundaries. In an agent skill context, this increases the chance that prompt-controlled input can access unrelated local files, including secrets in the user's home directory.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The path expansion logic allows absolute paths and relative traversal outside the configured memory directory, so a caller can direct writes to arbitrary filesystem locations rather than being confined to memory storage. In an agent skill advertised as a memory system, this broad write primitive is especially dangerous because it can overwrite user files, shell configs, or other application state if attacker-controlled input reaches filePath.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly promotes automatic memory loading and smart persistence of conversation-derived information, but it does not clearly disclose when data is stored, what is stored, or whether users must explicitly consent each time. In a memory-system skill, this is security-relevant because persistent retention of user content can capture sensitive personal, project, or team information without sufficiently informed user awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises automatic loading, automatic flush, and file-system storage for multiple classes of memory, including private user information and feedback, but does not warn users that sensitive data may be persisted locally or shared across team-scoped memory. In a memory system skill, this omission increases the chance that operators will store personal, confidential, or regulated data without informed consent, retention controls, or review of where that data is written.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill promotes automatic persistence and loading of user/team memory but does not provide a clear privacy notice, consent model, or retention boundaries. Automatic storage of conversational material can capture sensitive information unexpectedly and increase the chance of later disclosure across sessions or team contexts.

Missing User Warnings

High
Confidence
95% confidence
Finding
Guidance to save 'any' user details is overbroad and can lead to collection of highly sensitive personal data without necessity, minimization, or consent. In a memory skill, this context makes the issue more dangerous because the system is specifically designed to persist and later retrieve exactly this information.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill defines very broad natural-language triggers to persist memory, including saving any personal user details and all corrections/confirmations. This creates a substantial risk of collecting and retaining sensitive or unnecessary personal data without explicit consent, data minimization, or clear retention boundaries.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The vector search path embeds each chunk of memory file content via embedText(), which may send sensitive local memory contents to an external model or service depending on the embedding backend. In a memory system, those files may contain secrets, personal data, or prior conversation context, so silent transmission creates a real confidentiality risk.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The tool definitions expose powerful memory read, write, search, and flush capabilities using generic descriptions without clear policy constraints, authorization boundaries, or safe-use conditions. In an agent setting, overly broad invocation metadata can cause the model to call these tools in response to ambiguous prompts, increasing the risk of unintended persistence, retrieval of sensitive memory contents, or cross-context data handling.

Ssd 3

Medium
Confidence
91% confidence
Finding
Broad instructions to retain user details and confirmations create a semantic privacy risk because personal preferences, corrections, and other private context may be stored indefinitely and later surfaced out of context. This is especially risky in team/shared memory scopes, where private user information may become visible beyond the original interaction.

Ssd 3

Medium
Confidence
94% confidence
Finding
Best-practice advice that encourages saving memory whenever any personal detail is learned promotes indiscriminate retention rather than necessity-based storage. Over time this can accumulate sensitive profiles about users, increasing harm from leakage, misuse, or unauthorized access.

Ssd 3

Medium
Confidence
97% confidence
Finding
The instruction to save 'any personal details' is an unsafe persistence policy because it encourages indiscriminate retention of user data, potentially including sensitive attributes. In a memory system designed for automatic loading and long-term storage, this materially increases privacy and data-exposure risk.

Ssd 3

Medium
Confidence
95% confidence
Finding
Automatically recording all user corrections and confirmations can capture unnecessary conversational content, preferences, or sensitive context without user awareness. Because feedback is marked as private/team and bidirectional, the stored data may also be shared more broadly than the user expects.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal