ClawHub

Brain Memory System

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local agent-memory tool, but it needs Review because it persists sensitive memory, can send procedure history to external LLM endpoints, and has weak scoping and credential disclosures.

Install only if you intentionally want a persistent local memory database for an agent. Avoid storing secrets in memories, facts, procedure steps, or failure logs; prefer BRAIN_LLM_KEY from the environment over brain config set key; use proc evolve --dry-run and a trusted or local LLM endpoint; and do not use shared multi-agent databases unless you accept that some commands can reveal other agents' data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Tainted flow: 'SESSION_STATE' from os.environ.get (line 26, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
output = "\n".join(lines)
    
    with open(SESSION_STATE, "w") as f:
        f.write(output)
    
    print(f"✅ Dumped {len(rows)} working memory slots to SESSION-STATE.md")
Confidence
93% confidence
Finding
with open(SESSION_STATE, "w") as f:

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The code advertises a forgetting/archive step, but it never changes episode state after selecting 'forgettable' rows; it only writes an audit log entry. Because archived items remain eligible for future queries and processing, retention controls can silently fail, causing low-value or potentially sensitive historical memory to persist indefinitely despite operators believing it was forgotten.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
`cmd_important` queries high-importance episodes without applying the agent/shared scope used elsewhere in the file. In a multi-agent memory store, this exposes records belonging to other agents and breaks the isolation model promised by the skill, which can leak sensitive memory content or metadata across tenants.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
`cmd_stats` reports counts, date ranges, emotion distribution, and procedure/fact totals across the entire database rather than the current agent plus shared scope. Even without dumping raw content, aggregate statistics can reveal the existence, volume, activity patterns, and emotional metadata of other agents, which is an information disclosure issue in this skill’s stated memory model.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
`cmd_who` enumerates all agent names and their record counts across episodes, facts, and procedures. This directly discloses tenant identities and usage levels, enabling cross-agent reconnaissance and violating the skill’s own 'own + shared' access boundary.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The code sends procedure content, failure descriptions, and any recorded fixes to a configurable external LLM endpoint. That creates a real data-exfiltration/privacy risk because procedures and failure history can easily contain secrets, internal paths, operational details, or sensitive business context, and the transmission happens without strong constraints on destination or content sensitivity.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script supports arbitrary LLM URL and credential configuration, then uses those values for outbound requests. In a security-sensitive agent skill, this expands trust boundaries and can route sensitive procedural data to untrusted or attacker-controlled services if the config or environment is manipulated.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README states that procedure evolution uses an external LLM endpoint but does not prominently warn that failure logs, workflow steps, and possibly sensitive operational context may be transmitted off-box. In a memory system that stores agent experiences and procedures, this can expose internal data, secrets, or user content during evolution if operators assume all processing is local.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The invocation guidance is broad enough to match many ordinary requests involving memory, facts, procedures, or health checks, which can cause over-selection of this skill. Because the skill has write, shell, and network-capable functions, overly eager invocation raises the likelihood of unnecessary file modification, persistence, or data transmission.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The markdown states that `proc evolve` sends data externally to an LLM provider but does not prominently warn what procedure steps, failure logs, errors, or other potentially sensitive operational details may be transmitted. In a memory-oriented skill, users may reasonably assume data stays local, so understated disclosure creates privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The implementation transmits detailed procedure state and failure history to an external service but does not present a user-facing notice or consent step at the point of transmission. Because failure logs often contain operational errors, tokens, file locations, and remediation notes, silent export materially increases confidentiality risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal