ClawHub

Unified Memory

Security checks across malware telemetry and agentic risk

Overview

This is a real memory-management skill, but it exposes stored memories through unauthenticated web/API servers and has several under-scoped high-impact behaviors users should review before installing.

Install only if you are comfortable with a broad, persistent memory system. Before using it, disable or firewall the web/API servers, bind any dashboard to localhost, require authentication, avoid remote LLM/cloud providers unless explicitly intended, and review Git/QMD/cloud sync settings because stored memories may contain sensitive personal or work data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (99)

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The documentation makes a strong 'strict team isolation' claim while elsewhere defining a GLOBAL scope accessible to all agents and users. Even if the implementation is correct, this mismatch can mislead operators and integrators into assuming stronger isolation guarantees than actually exist, causing accidental overexposure of shared data.

Intent-Code Divergence

Low
Confidence
77% confidence
Finding
The permissions block lists only a small subset of environment variables, while the rest of the document describes additional env-controlled behavior such as model, workspace, and storage configuration. This creates a transparency gap that can cause reviewers or deployers to underestimate the skill's effective configuration and data-flow surface.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation says `USER` is private to the current user and also claims `USER ⊂ TEAM ⊂ GLOBAL`, implying broader-scope inheritance into more specific scopes. That contradiction can cause implementers to authorize access incorrectly, potentially exposing private memories across users, teams, or globally if they follow the hierarchy literally.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documentation describes contradictory transaction semantics: the earlier failure path rolls back failed STORE operations, while the crash recovery section says uncommitted STORE operations should be completed. In a system implementing WAL-based recovery, this ambiguity can cause developers or operators to choose the wrong recovery behavior, leading to duplicated writes, resurrection of partially failed data, or divergence between the JSON store and vector store.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The parser is intended to accept entries like "coding:0.9", but it uses split(':', 1), which returns only the substring before the colon. As a result, the score portion is discarded and parseFloat receives undefined, silently defaulting every colon-specified score to 0.5; this can corrupt agent capability data and cause incorrect task routing or trust decisions.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
`getRelatedMemories()` calls `getMemory(memoryId)`, while `getMemory()` itself calls `getRelatedMemories(memoryId)`, creating unbounded mutual recursion. Any invocation of either path can trigger stack exhaustion or repeated backend calls, causing denial of service and potentially excessive load on storage/vector services.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The module claims to provide sensitive-information filtering, but importMemories stores raw imported content and also forwards it into the vector store without calling detectSensitiveInfo or anonymizeText. This can persist secrets, financial data, health data, or credentials in primary storage and secondary indexes, expanding exposure and making later deletion or compliance cleanup harder.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The CLI is documented as a search command, but it mutates state by calling touchMemory() for every result. This hidden side effect can violate user expectations, make audit trails misleading, and allow seemingly read-only searches to influence ranking, recency, or downstream logic that depends on access metadata.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The sync API advertises synchronization with a remote state, but the implementation ignores the remoteState input and immediately clears local pending changes. This can cause silent data loss and false success reporting, because callers may believe changes were exchanged and acknowledged when no remote integration or persistence actually occurred.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module-level claims about conflict resolution and distributed synchronization are inconsistent with the actual sync path, which neither detects conflicts during synchronization nor applies remote changes. In a collaboration or memory-sync context, this mismatch is dangerous because operators may rely on integrity guarantees that do not exist, leading to overwritten, dropped, or divergent state across devices.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This module contains built-in logic to instantiate an LLM client and, if unavailable, directly issue HTTP requests to a configured model endpoint. That creates an outbound data path for arbitrary prompt content, which can expose memory contents or user data to local or remote model services without any explicit trust boundary, allowlist, or consent gate in this configuration layer.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The tool advertises caller-controlled age filtering via olderThanHours, but the implementation ignores that value for enforcement and always invokes the underlying fixed 48-hour reconsolidation path. This creates a security-relevant integrity issue: callers, policies, or higher-level agents may believe memories older than a stricter threshold were refreshed when they were not, leading to stale-memory use, incorrect policy assumptions, and potentially unsafe downstream decisions.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The page implements authentication entirely in client-side JavaScript using a hardcoded password ('mem0') stored in sessionStorage. This does not protect the backend API at all, because an attacker can bypass the prompt, inspect the source for the password, or call /api endpoints directly without loading the UI; in this dashboard context, that can expose or modify sensitive memory data.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code sends full episode transcripts, which may contain sensitive user content, to a network-accessible LLM endpoint via fetch without any visible consent, data-classification check, redaction, or manifest-declared need for external transmission. Even if the default host is localhost, the endpoint is configurable through environment variables and the selected model name suggests a possible cloud-backed model, so this creates a real confidentiality and data-governance risk.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The file sends raw memory text to an external/network-backed LLM for expiry extraction without any visible consent gate, data minimization, or manifest justification. Because memories may contain sensitive personal information, this creates a real privacy and data-exfiltration risk even though the feature appears intended to improve parsing accuracy rather than to behave maliciously.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill can spawn detached background processes and start an HTTP REST server bound to 0.0.0.0, which expands it from a local memory tool into a remotely reachable service. That materially increases attack surface and persistence risk, especially because process creation and network exposure are unrelated to the minimum functionality needed for memory storage/search.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The dashboard tool starts a web server that exposes memory data and stats over HTTP, creating access paths outside the MCP channel. In a memory-management skill, exposing a separate dashboard meaningfully broadens data exposure and can allow unintended local or remote access depending on bind behavior in the imported dashboard module.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The code claims strict team isolation, but hybrid team search combines team-scoped BM25 results with unscoped vectorSearch results. That can leak memories from other scopes or tenants into team results, directly violating isolation guarantees in a multi-tenant memory system.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
When starting the HTTP API child process, the code propagates the full parent environment using env: { ...process.env, ... }. That can expose secrets, tokens, credentials, and internal configuration to a less-contained subprocess and any downstream code it loads.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The module constructs shell command strings with untrusted inputs and passes them to execSync, including remote_url, files, message, key, value, ref, remote, branch, since, and limit. This creates multiple command-injection paths that can lead to arbitrary command execution on the host, making the risk substantially higher than merely invoking Git.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This is a true state-consistency flaw. When archiving the currently active lane, the code marks a replacement lane as active but incorrectly leaves `active_lane` set to the archived lane name, causing subsequent reads and operations to target an archived lane or return inconsistent results. In a memory-management skill, this can lead to misplaced writes, broken access control assumptions around active context, and corruption or loss of conversational state.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
This is a true integrity issue because the function deletes any lane without enforcing the documented precondition that it must first be archived. That allows accidental or unauthorized removal of active or in-use lanes, which can destroy memory organization state and make recovery difficult, especially in a persistence component handling user context.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This is a real logic flaw: `archiveLane()` sets `lane.isActive = false` before checking whether the lane was active, so the fallback-to-primary branch is never taken. The result can leave the system with no active lane, causing subsequent memory operations to behave inconsistently or default unexpectedly, which can undermine data integrity and workflow isolation across lanes.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The QMD search helpers build shell command strings with user-controlled query content and execute them via execSync, which introduces command-injection risk. Escaping only double quotes is insufficient because shell metacharacters such as backticks or command substitution can still be interpreted depending on environment, and this code also expands the module's capability into local document discovery beyond its stated lessons scope.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The file advertises the embedding service as 'completely offline', but the default model path uses an `hf:` Hugging Face reference and `_doInitialize()` calls `resolveModelFile(...)`, which may download the model at runtime. This is a real security and trust-boundary issue because operators may deploy it in restricted or privacy-sensitive environments expecting no network access, while the code can unexpectedly perform outbound fetches and pull unpinned remote artifacts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal