ClawHub

Enhanced Memory System V3

Security checks across malware telemetry and agentic risk

Overview

This memory skill has a coherent purpose, but it needs Review because it can read/write beyond its memory folder, automatically process stored memories, and send memory contents to MiniMax when an API key is present.

Review carefully before installing. Use only a dedicated non-sensitive memory directory, disable AutoDream unless you explicitly want memory files processed by MiniMax, do not store secrets or sensitive personal data, and avoid exposing memory_get or memory_write to untrusted prompts until path sandboxing and confirmation for destructive changes are added.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (28)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and appears to rely on shell, network, and environment capabilities without declaring them, which prevents informed consent and proper sandboxing by the host. In this context, those hidden capabilities are especially risky because the skill handles persistent memory and may transmit or transform sensitive user/project data through external or local services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose understates materially significant behavior such as auto-loading memory on session start, heartbeat-triggered background processing, external API use, local embedding generation via shell/curl, and automatic flush mechanisms. This mismatch can cause users to install a seemingly simple memory skill without understanding that it performs automated persistence and networked processing of stored content.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code sends memory contents, index data, and recent/old memory files to an external MiniMax API for consolidation. In the context of a memory system that stores private user preferences, feedback, project notes, and references, this is a real data exfiltration risk and exceeds the expected local-only behavior implied by the skill description.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Reading an API key from environment variables enables the component to authenticate to a third-party service, expanding the skill's capabilities from local file management to remote data transfer. While using env vars for secrets is common, here it materially supports undisclosed external transmission of sensitive memory data.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code uses shell execution for routine operations and interpolates untrusted values into a command string. While the model name is likely developer-controlled in normal use, both `model` and especially `cleanText` can contain shell metacharacters such as single quotes or command substitutions, creating a command-injection path when building the `curl` command.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code and comments claim that memory is flushed to the filesystem, but the implementation never persists session data and only logs success. In a memory-system skill, this can mislead callers into believing sensitive context was saved or compacted when it was not, causing data loss, broken retention guarantees, and unsafe downstream decisions based on a false success signal.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The path expansion logic allows absolute paths and relative paths containing traversal segments to resolve outside the configured memory directory. Because this function reads arbitrary files from disk based on caller-controlled input, an attacker or untrusted caller could access sensitive local files such as SSH keys, config files, or application secrets, which is especially dangerous in a memory-system skill that may be exposed to agent workflows.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill reads MINIMAX_CODING_API_KEY from the environment to drive AutoDream, which expands the skill's capabilities beyond local memory management into use of an external credential. In a memory-oriented skill, undeclared access to secrets increases risk because later code paths may send memory contents or metadata to a third-party service without clear user consent or scope controls.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The search path is derived from caller/config input and `~` is expanded to the user's HOME, so this code can recursively read markdown files from arbitrary local directories rather than being confined to the skill's intended memory store. In a memory-system skill, that broad file access increases the risk of unintended local data exposure, especially because later code reads file contents and returns excerpts to the caller.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The path expansion logic accepts absolute paths, '~' expansion, and relative paths joined to the configured base directory, but it does not constrain the final resolved path to remain inside the intended memory directory. As a result, a caller can supply paths that target arbitrary filesystem locations, giving this helper broader write capability than a memory-only component should have.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
This write API is presented as part of a memory system, but it allows callers to write or append to arbitrary files outside the memory store because filePath is passed through to filesystem operations without boundary enforcement. In an agent setting, that mismatch is dangerous because higher-level code may trust this helper as a scoped persistence mechanism while it can actually overwrite configuration, source, or user files.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document advertises automatic memory loading and automatic persistence without clearly warning users that conversation data may be stored and reused. In a memory system handling user, feedback, and project data, silent persistence increases the risk of retaining sensitive information unexpectedly, which can lead to privacy violations, oversharing, or policy noncompliance.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises automatic loading, smart flushing, and file-system storage, but it does not clearly warn that conversation-derived data may be persisted locally in Markdown files. This can lead users to unknowingly store sensitive prompts, personal data, project details, or team feedback on disk, increasing the risk of accidental disclosure, backup leakage, or unintended sharing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
AutoDream is described as deleting outdated information and merging duplicate memories, but the skill does not present this as a prominent safety warning or explain the risk of unintended data loss or corruption. For a persistence system, autonomous modification of stored memory is security-relevant because it can silently destroy audit history, alter user preferences, or remove important project context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly encourages storing detailed user roles, preferences, and knowledge in persistent memory without a clear privacy disclosure, retention policy, or sensitivity guidance. In a memory tool, this materially increases the chance that personal or confidential information will be retained longer than expected and later exposed through search, summaries, or external processing.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest defines broad, ambiguous conditions for saving user, project, and external-reference data, including 'save any personal details' and 'save when learning external resources'. In a memory skill with automatic hooks and team-scoped storage, this can lead to over-collection and retention of sensitive data without clear minimization or consent boundaries.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill advertises automatic memory loading on session start, automatic AutoDream processing on heartbeat, write capabilities, and deletion of outdated information, but does not describe an explicit user notice, consent flow, or confirmation before these actions occur. This creates a real privacy and integrity risk because data may be collected, transformed, or removed automatically in the background.

Missing User Warnings

High
Confidence
99% confidence
Finding
The implementation transmits local memory content to a third-party LLM without any explicit runtime warning, consent flow, or clear disclosure in this file. Because the memory system is intended to hold potentially private user and project information, silent transfer creates a significant privacy and compliance risk.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The code consumes a sensitive credential from MINIMAX_CODING_API_KEY without any user-facing disclosure that such a secret will be used to access an external service. On its own this is not unusual, but in this skill it conceals a meaningful remote-processing capability tied to private memory export.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code deletes local files directly based on filenames extracted from LLM output, with no confirmation, no allowlist validation, and no sandbox enforcement. A malformed, hallucinated, or prompt-influenced model response could delete arbitrary files reachable via path traversal relative to the configured memory directory.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code automatically creates files and overwrites MEMORY.md based on untrusted LLM output, without preview, approval, or path validation. This allows prompt-influenced content to modify local state and, combined with path joining on model-supplied names, may enable writes outside the intended memory directory.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Accessing a sensitive API key directly from process.env without any disclosure, consent flow, or boundary enforcement is risky because users may not realize the skill can consume privileged credentials. In this skill's context, that is more dangerous because the same component manages potentially sensitive memory content that could later be processed using that credential.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Vector search embeds each file chunk by passing raw content to `embedText`, which may send sensitive local memory contents to an external embedding service depending on the implementation and model backend. Because the code scans caller-selected files and provides no disclosure, consent, or data minimization in this path, it can cause covert exfiltration of local notes or secrets.

Ssd 3

Medium
Confidence
94% confidence
Finding
The guidance to store 'any details' about the user is overly broad and lacks sensitivity boundaries, minimization requirements, or exclusion rules for secrets and personal data. In a persistent memory system with search and possible automated consolidation, over-collection substantially increases privacy harm and the blast radius of accidental disclosure or downstream model processing.

Ssd 3

Medium
Confidence
91% confidence
Finding
The best-practice rule 'learn user info → save to user/' normalizes indiscriminate persistence of personal data without requiring necessity, consent, or sensitivity screening. Because this skill is designed to automatically load and search such data later, the instruction can lead to broad accumulation of private context beyond what users expect.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal