ClawHub

MidOS Memory Cascade

Security checks across malware telemetry and agentic risk

Overview

This is a real memory-search skill, but it can search broad local knowledge stores and persist learning/write state without clear scope or retention controls.

Install only if you want an agent to search and update broad local memory stores for this project. Review which `knowledge/`, `hooks/`, SQLite, and LanceDB data it can reach, and avoid using `store()` or `evolve()` with sensitive content unless you have clear local retention and cleanup rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pattern = ".*".join(words)
    try:
        result = subprocess.run(
            ["grep", "-rl", "-i", pattern, "knowledge/chunks/"],
            capture_output=True,
            text=True,
Confidence
90% confidence
Finding
result = subprocess.run( ["grep", "-rl", "-i", pattern, "knowledge/chunks/"], capture_output=True, text=True, cwd=str(ROOT), timeout

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
A skill presented as search-only also exposes write and self-modifying capabilities through store() and evolve(). In context, that makes the skill more dangerous because users may invoke it expecting passive retrieval while it can persist new data and alter future execution behavior based on prior runs.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The skill is presented as a recall/search component, but it also exposes write capabilities that can persist data into multiple locations. That expands the trust boundary and can surprise callers into modifying local state or storing sensitive content when they expected read-only behavior.

Description-Behavior Mismatch

Low
Confidence
80% confidence
Finding
The module writes cascade telemetry and learned routing state to disk even though its primary stated role is answer retrieval. This hidden persistence can leak query history or operational metadata and violates least surprise for a retrieval-oriented tool.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill documents persistent writes to memory and statistics files without a prominent user-facing warning that execution modifies stored data. This is risky because a user may treat the skill as a read-only query tool, yet it can leave durable artifacts, contaminate memory stores, or alter later retrieval outcomes.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The write paths persist content to disk without any user-facing disclosure or confirmation. In an agent skill context, silent persistence is risky because prompts, secrets, or sensitive intermediate data may be stored locally without the operator realizing it.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This path writes user-provided content into JSON state files automatically, truncating but otherwise preserving the data. Hidden state persistence can expose confidential prompts or business data to later reads, backups, or other tools with filesystem access.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Hook state and JSONL log writes store content and timestamps without user-facing disclosure. In a multi-tool agent environment, this creates an audit trail of user data that may include secrets or sensitive operational context and can later be harvested by other local processes or users.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal