ClawHub

Chromadb Memory Pub

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local memory plugin that automatically searches a configured ChromaDB collection and adds matching memories to the agent context.

Install only if you want automatic long-term memory recall. Keep ChromaDB and Ollama local or on a trusted private network, avoid indexing secrets or sensitive documents, review what is stored in the collection, pin the ChromaDB Docker image instead of using latest, and set autoRecall to false if you prefer manual searches only.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill clearly depends on network-accessible services (ChromaDB over HTTP and Ollama over HTTP), yet the manifest shown in SKILL.md does not declare any corresponding permission or prominently warn the user about that capability. Undeclared network behavior weakens user trust and reviewability because operators may install the skill assuming it is purely local logic rather than a component that sends every prompt to local HTTP services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises automatic per-turn querying of user messages and automatic context injection, but it does not provide an explicit privacy warning or consent prompt about sending each message to ChromaDB/Ollama and re-surfacing stored memories into future conversations. This creates a real risk of inadvertent disclosure of sensitive user input or prior stored data, especially because the behavior is automatic and continuous rather than tool-invoked by the user.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Auto-recall forwards every sufficiently long agent prompt to local HTTP endpoints for Ollama embeddings and ChromaDB querying without explicit user consent, visibility, or data minimization. Even though the services are local/self-hosted, prompts may contain secrets, credentials, personal data, or sensitive task content, and automatic transmission expands the trust boundary and creates an unannounced privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The plugin description explicitly states that relevant memory is automatically injected before each turn, and the schema enables this by default via `autoRecall: true`, but there is no corresponding warning, consent flow, or privacy notice in the manifest. This can expose previously stored sensitive data to future prompts or model outputs unexpectedly, especially in a long-term memory skill where users may not realize old content is being resurfaced automatically.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal