ClawHub

Meshmorize

Security checks across malware telemetry and agentic risk

Overview

MeshMorize is a disclosed local memory helper; it creates persistent agent memory files and command symlinks, but that behavior matches its stated purpose.

Install only if you want an agent memory system that can retain interaction logs across sessions. Review what the missing companion scripts do before running them, avoid logging secrets or regulated data, and remove the ~/.local/bin symlinks and workspace memory files if you later uninstall it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill prominently advertises automatic logging, cross-layer search, and persistent memory, but it does not clearly warn users that their prompts and replies may be stored across multiple files and retained beyond the current session. In an agent setting, this can lead to inadvertent collection of sensitive data, secrets, or regulated information, especially because users may assume normal ephemeral assistant behavior unless explicitly told otherwise.

Missing User Warnings

Low
Confidence
94% confidence
Finding
The installation and startup steps instruct the user to create symlinks in ~/.local/bin, initialize memory storage, and rotate/create persistent files, but they do not warn that this modifies the local filesystem and establishes durable memory state. While not inherently malicious, the lack of disclosure increases the risk of users enabling persistence and system changes without understanding the operational and privacy consequences.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal