ClawHub

Enhanced Memory System V2

Security checks across malware telemetry and agentic risk

Overview

This is a coherent memory skill, but it needs Review because it can read/write outside its memory folder and runs shell-built embedding commands using memory text.

Install only if you are comfortable with a local long-term memory skill that persists and reuses user, feedback, project, and reference data. Avoid storing secrets or sensitive personal data, disable vector search or AutoDream unless you need them, and treat this version as needing fixes for path sandboxing and shell-free embedding before use in a high-trust environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This code builds shell commands and executes them with `exec`, which introduces command-injection risk because both `model` and `text` influence the command string. Although the target is a local Ollama service, a crafted value containing shell metacharacters or malformed quoting could cause arbitrary command execution under the agent's privileges, which is far more dangerous than normal embedding functionality requires.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The file advertises a memory flush to the filesystem, but the implementation does not persist any session data and can therefore create a false security guarantee. In a memory system, operators may rely on this function for durability, auditability, or context preservation, and silent no-op success can cause data loss or broken safety assumptions.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
`memoryFlush` reports a successful flush even though it only logs messages and builds an unused timestamp string, with no file write or compaction call. This is dangerous because callers and hooks may believe sensitive conversational state has been safely checkpointed or compacted when nothing happened, leading to loss of memory integrity and operational failure.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The path expansion logic allows absolute paths and relative traversal outside the configured memory directory, so a caller can use this API to read arbitrary files on the host filesystem rather than only memory files. In an agent skill, this is especially dangerous because tool callers may influence filePath indirectly, enabling exfiltration of secrets such as SSH keys, API tokens, config files, or other sensitive workspace data.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The function is documented and named as a memory-file reader, but the implementation behaves as a general-purpose file reader. This mismatch increases the chance that other components, reviewers, or policy layers will trust it too broadly, causing unintended exposure of arbitrary local files when integrated into agent workflows.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The path expansion logic allows caller-controlled absolute paths, '~' expansion, and relative paths joined to a configurable base without enforcing that the final destination remains inside a dedicated memory directory. Because memoryWrite later creates parent directories and writes arbitrary content to the resolved path, a caller can write outside the intended memory store and potentially overwrite sensitive files if this API is exposed to untrusted input.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The changelog explicitly describes automatic memory scanning, cleaning, and updating, plus scheduled triggering via heartbeat/time/session counts, but provides no user-facing warning, consent model, or safety guardrails for data-affecting behavior. In a memory system, background modification of stored information can lead to silent data loss, corruption, or retention/privacy issues because users may not realize their memories are being altered automatically.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The product explicitly advertises automatic memory loading and automatic persistence, but does not warn users that conversation content may be stored and reused. In a memory skill, this increases the risk of unintentionally retaining sensitive personal, project, or team data without informed consent, especially because the system is designed for long-term accumulation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quick-start guidance encourages users to store information via phrases like '记住...' without warning that this may capture personal or sensitive data. Given this skill's purpose is long-term memory storage, the omission is more dangerous than in ordinary documentation because users are being directly prompted to persist potentially private information to files or shared memory contexts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises private/team memory storage, automatic loading, and automatic flushing, but does not clearly warn that potentially sensitive user, team, or project data will be persisted to disk and reused later. In a memory-oriented skill, this omission can cause operators to store secrets, personal data, or confidential project details without informed consent or retention controls, increasing the risk of unintended disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill promotes automatic persistence, flushing, and AutoDream consolidation, including deleting outdated information, without clear user-facing warnings or consent prompts. Automatic modification or deletion of stored data can cause privacy surprises, irreversible loss of information, or retention beyond what the user expected.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The memory type policies use very broad natural-language triggers such as saving when learning 'any personal details' or general project dynamics, which can cause routine conversation content to be persisted without clear necessity, minimization, or consent boundaries. In a persistent memory skill with automatic loading and later consolidation/deletion, this creates a real privacy and governance risk because sensitive data may be stored unexpectedly and reused across sessions.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill advertises persistent storage, automatic loading, and automatic consolidation behaviors, including deletion and merging of stored data, but does not present any user-facing notice, consent mechanism, or retention/modification disclosure in the manifest. That makes users unlikely to understand that their data may be retained, transformed, or removed across sessions, which is especially risky for personal and team-scoped memory.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code reads MEMORY.md and all markdown memory files, embeds their contents into a generated prompt, and is designed for that prompt to be sent to an external LLM by the caller. Because these memories explicitly include private user, feedback, and project data, this creates a real data exfiltration risk if sent to third-party model providers without explicit consent, minimization, or redaction.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The onHeartbeat hook can automatically trigger executeDream(), which performs memory consolidation and likely writes or mutates stored memory state without an explicit user action or visible confirmation at the call site. In a memory-management skill, silent background modification is risky because it can alter, summarize, or persist user data unexpectedly, making data handling less transparent and potentially causing privacy or integrity issues.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The vector search path embeds full memory file chunks by passing their contents to `embedText`, which may send sensitive memory data to an external embedding service depending on the implementation. Because this file provides no consent, warning, locality guarantee, or redaction boundary, users may unknowingly exfiltrate private stored memories during search operations.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill explicitly encourages storing broad user-private details such as role, preferences, and knowledge, framed as '了解用户任何细节' ('learn any user detail'), without minimization or sensitivity boundaries. This creates a real privacy risk because the system is designed for long-term retention and later retrieval, increasing the chance of collecting unnecessary sensitive personal data.

Ssd 3

Medium
Confidence
93% confidence
Finding
The best-practice guidance says that when the system learns about the user, it should save that information to persistent user memory by default. Default persistence of learned user information encourages over-collection and retention of personal data, especially when combined with automatic loading and semantic search across stored memories.

Ssd 3

Medium
Confidence
94% confidence
Finding
The instruction to save user memory whenever the system learns any personal detail directly encourages over-collection of personal data, potentially including sensitive attributes revealed casually during conversation. In a system with persistent storage and automatic reload, this materially increases privacy risk, makes accidental profiling more likely, and can preserve information beyond the user's expectations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal