ClawHub

starmemo

Security checks across malware telemetry and agentic risk

Overview

This is a real memory skill, but it can broadly and persistently capture user messages and send memory content to external AI services with controls and disclosure that are not tight enough.

Review before installing. Use it only if you want a persistent memory assistant that may save normal conversation text. Do not enter secrets or sensitive personal/business data unless you have checked the settings, memory files, and provider configuration. Keep AI and web features disabled unless you trust the configured external services, and avoid passing API keys on the command line.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (28)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import requests
    except ImportError:
        import subprocess
        subprocess.check_call([sys.executable, "-m", "pip", "install", "-q", "requests"])
auto_install()
import requests
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "-q", "requests"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import requests
    except ImportError:
        import subprocess
        subprocess.check_call([sys.executable, "-m", "pip", "install", "-q", "requests"])
auto_install()

import requests
Confidence
97% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "-q", "requests"])

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises only a memory feature but, per the detected capabilities, can read/write files, access the network, and invoke shell commands without declaring permissions or presenting clear consent boundaries. In a memory skill, this is dangerous because users may provide sensitive personal data that can then be persisted locally or transmitted externally through undeclared channels.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
There is a material mismatch between the user-facing description and the observed behaviors: automatic dependency installation, outbound transmission of user and memory content to third-party LLM services, optional web fetching, local storage of configuration/API keys, and prior auto-saving of user input. This mismatch undermines informed consent and can expose sensitive conversations, credentials, and browsing-derived content beyond what a user would reasonably expect from a 'memory system'.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Auto-installing Python packages is outside the stated memory-management purpose and creates an unnecessary supply-chain and execution surface. In a skill environment, importing the file is enough to trigger package installation, which can modify the host and execute installer code without informed consent.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill's advertised role is memory management, but it can fetch external web content and then store AI-processed results into memory. This expands the trust boundary and may contaminate stored memory with untrusted remote data, increasing prompt-injection, misinformation, and privacy risks.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Auto-installing dependencies is not necessary for a memory-processing skill and expands the skill's capability to mutate the host environment. In restricted or shared agent runtimes, this can bypass expected deployment controls, pull code from external repositories, and introduce supply-chain risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises '联网学习' and support for external LLM providers with API keys, but it does not clearly and prominently warn that user memory content, prompts, or extracted knowledge may be transmitted to third-party services when AI/web features are enabled. In a memory system that stores potentially sensitive personal data, this omission can cause users to unknowingly expose private information to external vendors or web services.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions are broad and conversationally common, such as reacting when the user says words like '之前' or '上次', which can cause unintended memory recall or storage. In a persistent memory tool, accidental activation increases the chance of collecting, surfacing, or acting on sensitive historical data without the user clearly requesting it.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill explicitly enables persistent storage, AI optimization, and network-backed learning, but the description does not provide a clear user-facing warning about what data may be stored locally or sent to external services. Because this is a memory system likely to process personal or confidential information, the lack of transparency significantly raises privacy and data leakage risk.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The manifest registers a broad `on_user_input` hook without any visible constraints on when it should run or what data it may process. In a memory skill with file read/write permissions, this creates unnecessary exposure because every user message could trigger storage, transformation, or file operations, increasing the chance of over-collection, prompt-triggered misuse, or unintended persistence of sensitive content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The `config --show` path prints the first 15 characters of the configured API key to stdout. Even partial secret disclosure can materially help an attacker identify the provider, correlate leaked credentials across logs/screenshots, and reduce brute-force or social-engineering effort; in CLI environments, output is often captured in shell history, terminal logs, CI logs, or screen sharing.

Missing User Warnings

High
Confidence
99% confidence
Finding
The hook saves all user input by default across contexts without any user-facing notice, consent, or contextual filtering. In a memory skill, this is particularly dangerous because users may reveal credentials, personal data, or confidential business content that then becomes persistently stored.

Missing User Warnings

High
Confidence
98% confidence
Finding
User content is sent to third-party LLM endpoints when AI is enabled, but the code provides no user-facing warning or explicit consent flow. Because this is a memory-oriented skill processing conversational content, external transmission may expose sensitive or regulated data to outside providers.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Automatically invoking pip without warning or confirmation changes the runtime environment and can execute installer-controlled code paths unexpectedly. In a plugin/skill context, silent installation is especially unsafe because loading the skill is enough to trigger it.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger conditions for proactive save/recall are broad enough to capture ordinary conversation, which can cause the agent to store or retrieve user information without clear, contextual consent. In a memory skill with persistence enabled, this increases the chance of over-collection, privacy violations, and unintended resurfacing of sensitive history.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises '联网学习' but does not warn that user content may be transmitted to external services, creating a transparency and privacy risk. Because this is a memory system, the data being sent could include persistent personal history or derived knowledge, making silent network use more dangerous than in a stateless tool.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The configuration examples encourage setting API keys and enabling web access without any guidance on credential handling, third-party exposure, or privacy implications. This can lead users or agents to place secrets in command history and to activate external services that process stored memory data without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The LLM call sends user text to third-party endpoints, and other methods pass memory/context derived from users as well, but the code provides no notice, consent flow, or policy gate. Because this skill is explicitly a memory system, the transmitted content may include sensitive personal data, making external disclosure more dangerous in this context.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The dependency installation runs automatically and silently, without warning or confirmation. This is unsafe because users and operators may not expect the skill to download and install software during import, especially in managed or sandboxed environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The CLI explicitly supports passing an API key via the `--key` argument, which exposes the secret in shell history, terminal scrollback, process listings, and audit logs on multi-user systems. In a memory/knowledge tool that may integrate with external LLM providers, compromise of the API key can lead to unauthorized API use, billing abuse, and possible access to associated provider resources.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The engine automatically persists user-provided text and AI-extracted knowledge to storage whenever no relevant memory is recalled and auto_save is enabled, without any explicit consent, warning, or preview. In a memory skill, this behavior is especially risky because users may share sensitive personal, credential, or confidential business information during normal conversation and have it silently written to disk.

Missing User Warnings

Low
Confidence
83% confidence
Finding
Configuration changes are saved to disk immediately, including settings related to LLM selection, persistence, and possibly API key handling via set_llm(params["llm"], params.get("key")), without an explicit disclosure that these changes will persist locally. This can surprise users and may leave sensitive configuration material stored on disk longer than intended, though the direct impact is lower than automatic memory persistence.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The recall flow automatically searches previously stored daily memories and knowledge entries once heuristic triggers are detected, then assembles that content into a prompt/context string without any explicit user notice or consent step. In a memory skill, this can surface sensitive prior conversations or stored personal data unexpectedly, increasing privacy leakage risk especially when the current query is ambiguous or shared with downstream AI components.

Ssd 3

High
Confidence
99% confidence
Finding
The code unconditionally persists all user inputs across platforms, creating broad, silent retention of potentially sensitive data. In the context of a memory skill, this is more dangerous because persistence is the core behavior and can accumulate large amounts of private conversation history without meaningful boundaries.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal