ClawHub

Memory Dream

Security checks across malware telemetry and agentic risk

Overview

This memory-cleanup skill does what it claims at a high level, but it also captures conversations, reads prior transcripts, and rewrites persistent memory files with too little disclosure or review control.

Install only if automatic capture and rewriting of agent memory is acceptable for your workspaces. Keep memoryFiles narrowly scoped, consider disabling enableCapture, keep memory files under version control, and avoid using it in sessions that may contain secrets or sensitive personal or business data until disclosure, redaction, review, and rollback controls improve.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented behavior materially understates the skill's actual data access and execution model: it appears to read recent conversation transcripts and summaries, write to additional memory files, expose internal state via a tool, and run from a broader lifecycle hook than advertised. That mismatch is security-relevant because users and reviewers cannot give informed consent to data collection, retention, and automated modification if the scope is hidden or inaccurately described.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill performs live conversation capture and persists extracted signals into a staging memory file, which expands behavior beyond the declared role of merely consolidating existing memory after sessions. This creates a security-relevant scope mismatch: users or operators may not realize ongoing conversations are being mined and stored, increasing the risk of silent collection of sensitive preferences, constraints, or personal details.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly describes automatic background rewriting of user memory files, but it does not give a clear warning that file contents may be modified, pruned, or overwritten by an LLM. Because these files may contain important persistent context, users could enable the plugin without fully understanding the risk of unintended data loss, hallucinated edits, or irreversible corruption from automatic consolidation.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill explicitly states that it will 'quietly' clean up memory files automatically, but does not provide a prominent warning that user-controlled data will be modified by an LLM. Automatic pruning and contradiction resolution can delete, rewrite, or distort important information, creating integrity and auditability risks even if the goal is helpful housekeeping.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code automatically captures recent user/assistant conversation content and initiates background memory processing without any explicit user notice, consent check, or visible disclosure mechanism in the analyzed file. Because the plugin is specifically designed to persist and consolidate memory across sessions, the undisclosed collection and retention of potentially sensitive conversation data increases privacy risk and can lead to unintended storage of secrets, personal data, or regulated information.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code sends raw conversation text to a subagent model for analysis without any indication of notice, consent, or minimization at this call site. If conversations contain secrets, personal data, or proprietary information, the skill can silently disclose that content to another model-processing component and increase data exposure beyond the immediate session.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill writes extracted memory signals derived from conversations into a persistent workspace file without visible disclosure or approval in this code path. Persisting user-derived details can create long-term retention of sensitive or incorrect information, making later sessions vulnerable to privacy leakage, profiling, or harmful agent behavior based on stale memory.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code sends recent transcripts and staging content to a subagent/LLM as part of the prompt, which can expose sensitive conversation history, user data, secrets, or private memory contents to another processing boundary without any visible consent, minimization, or redaction in this flow. In a memory-consolidation skill, that behavior is central to functionality, but the context also makes it more dangerous because the data sources are explicitly high-value and may accumulate long-lived personal or operational details.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function reads recent transcript files from the agent state directory and returns excerpts of prior user and assistant messages, including content flagged as noteworthy, without any access control, consent check, redaction, or user-facing disclosure in this code path. In a memory-consolidation skill, this creates a real privacy risk because sensitive data from prior sessions can be surfaced or propagated into later prompts unexpectedly.

Ssd 3

Medium
Confidence
89% confidence
Finding
The prompt explicitly instructs the model to extract user corrections, preferences, decisions, and constraints for persistent memory, which is effectively long-term profiling of conversation content. In this skill context, that is more dangerous because the feature is designed to survive session boundaries, so sensitive or manipulative user-provided content may be retained and influence future agent behavior without sufficient safeguards.

Ssd 3

Medium
Confidence
86% confidence
Finding
The heuristic intentionally preserves messages containing terms like 'remember' and 'important', but those markers often coincide with highly sensitive instructions, preferences, credentials, or personal facts. Because the logic performs no semantic safety screening, it can preferentially retain and retransmit exactly the content most likely to be privacy-sensitive or security-relevant.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal