ClawHub

UseMemos

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed UseMemos integration that can read and modify memos, comments, and attachments using the user’s configured token.

Install only if you intend to let your agent access the configured UseMemos instance. Use an expiring or least-privilege token if possible, keep the .env file private, review file paths before attachment uploads, avoid PUBLIC visibility unless intended, and confirm comment IDs before running delete commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation indicates access to environment variables, network communication, and shell execution, yet no explicit permissions are declared. This creates a transparency and governance gap: users or an orchestrator may underestimate the skill's effective capabilities, including use of a bearer token and file-handling operations against a remote service.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The declared description says the skill creates, searches, lists memos, and uploads attachments, but the documented scripts also support comment management and linking attachments to existing memos. This mismatch can mislead users and policy engines about the skill's write/delete scope, especially because comment deletion is a destructive action not reflected in the high-level description.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The changelog advertises comment-management functionality that is broader than the stated skill description of memo and attachment operations. This kind of capability drift is dangerous because hidden or undocumented write/delete actions expand the agent's effective permissions and can mislead reviewers or users about what the skill can modify in the target system.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill metadata says it only creates, searches, and lists memos plus uploads attachments, but this script introduces comment enumeration, creation, and deletion. That scope mismatch is dangerous because an agent or user may grant trust based on the published description while the code performs additional authenticated actions against the UseMemos instance.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The delete path enables destructive modification of server data even though the advertised skill scope does not justify destructive comment operations. In an agent context, hidden delete capability increases the risk of unauthorized or unexpected data loss because consumers may invoke the skill assuming it is limited to non-destructive memo operations.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation instructs users to configure a long-lived access token and upload files, but does not warn that the token is sensitive or that memo content and attachments will be transmitted to a remote endpoint. In this context, the risk is elevated because the example uses a self-hosted URL and even suggests a non-expiring token, increasing the blast radius if the token or uploaded data is mishandled.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The module automatically loads environment variables from a local .env file on import without any user disclosure or explicit opt-in. While this is a common convenience pattern, it can silently introduce secrets or configuration into the runtime and make downstream network/API actions occur with credentials the user did not realize were being used.

Missing User Warnings

Medium
Confidence
71% confidence
Finding
The script reads an arbitrary local file and uploads its full contents to the remote UseMemos API without any interactive warning, dry-run, or confirmation. In an agent-skill context, that increases the risk of unintended exfiltration of sensitive local files if the filepath is influenced by a user prompt, another tool, or operator mistake.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
These tests perform real DELETE requests against the configured UseMemos instance during cleanup. In a skill context, this is more dangerous because a user may point the tests at a non-test instance, causing unintended deletion of live memos if the token has sufficient privileges.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal