ClawHub

Ultra Memory

Security checks across malware telemetry and agentic risk

Overview

Ultra Memory is a disclosed local long-term memory skill that stores substantial agent activity, but I found no hidden exfiltration, deceptive install behavior, or destructive automation.

Install only if you want the agent to keep local cross-session memory. Protect ~/.ultra-memory with restrictive permissions, use scopes in shared environments, configure a bearer token before exposing the REST server, and enable auto hooks or multimodal extraction only when you are comfortable with those contents being persisted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (92)

Tainted flow: 'index_file' from os.environ.get (line 117, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
kept.append(s)

    index["sessions"] = kept
    with open(index_file, "w", encoding="utf-8") as f:
        json.dump(index, f, ensure_ascii=False, indent=2)

    print(f"[ultra-memory] session_index.json: {original_count} → {len(kept)} 条记录")
Confidence
88% confidence
Finding
with open(index_file, "w", encoding="utf-8") as f:

Tainted flow: 'tmp_file' from os.environ.get (line 158, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
profile["version"] = 2

    tmp_file = profile_file.with_suffix(".tmp")
    with open(tmp_file, "w", encoding="utf-8") as f:
        json.dump(profile, f, ensure_ascii=False, indent=2)
    tmp_file.replace(profile_file)
Confidence
87% confidence
Finding
with open(tmp_file, "w", encoding="utf-8") as f:

Tainted flow: 'facts_file' from os.environ.get (line 316, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
if not fact.get("session_id"):
            fact["session_id"] = session_id

    with open(facts_file, "a", encoding="utf-8") as f:
        for fact in facts:
            f.write(json.dumps(fact, ensure_ascii=False) + "\n")
Confidence
88% confidence
Finding
with open(facts_file, "a", encoding="utf-8") as f:

Tainted flow: 'output_file' from os.environ.get (line 88, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
file_name = Path(media_path).name
    output_file = multimodal_dir / f"{file_name}.txt"

    with open(output_file, "w", encoding="utf-8") as f:
        f.write(f"# Extracted from: {media_path}\n")
        f.write(f"# Media ID: {media_id}\n")
        f.write(f"# Extracted at: {_now_iso()}\n")
Confidence
91% confidence
Finding
with open(output_file, "w", encoding="utf-8") as f:

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The management section enables listing all sessions, global search, stats, export, garbage collection, and scope enumeration. These are powerful administrative functions beyond ordinary recall and can expose or manipulate accumulated memory across projects and users if invoked inappropriately.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The skill introduces a local REST server and bearer-token auth despite presenting itself as a local memory feature. Even if bound to 127.0.0.1, exposing memory operations over HTTP increases attack surface, and optional token configuration suggests the service may run with weak or absent authentication in some deployments.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The integration exposes profile read/update operations even though the stated skill purpose is cross-session memory init/log/recall. That creates a capability expansion into user-profile access and modification without clear justification, increasing the risk of undisclosed collection, inference, or tampering with personal data.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code directly supports reading and updating user profile data via a subordinate script, but that capability is not aligned with the described memory-only function. In an agent context, hidden profile mutation is dangerous because it can silently persist sensitive preferences or inferred attributes across sessions without meaningful user awareness.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The manifest describes a cross-session memory and logging capability, but this API also exposes a user profile read/update surface that can persist arbitrary profile data. That expands the trust boundary from task memory into broader personal-data storage, increasing privacy and unauthorized data retention risk if agents write sensitive attributes without explicit user consent.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The server exposes a memory_knowledge_add write endpoint that extends the skill beyond the stated session-memory purpose into persistent knowledge-base mutation. That creates a broader data-modification surface than users and integrators may expect, enabling silent persistence of arbitrary content that could later influence agent behavior or contaminate retrieved memory.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The memory_profile tool allows reading and updating a persistent user profile stored outside a single session, which exceeds a narrow 'remember prior work' function. In an agent setting, this can accumulate long-lived personal or preference data without clear user consent boundaries, increasing privacy and integrity risk.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill metadata presents the capability as session memory and history recall, but the tool surface also exposes persistent cross-session user profile storage. That mismatch can cause the agent or user to disclose and retain personal preferences or project information without informed consent, expanding data collection beyond the stated purpose.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The advertised functionality focuses on recalling historical operations, but the interface also adds a separate persistent knowledge base. This materially broadens retention scope and can lead to long-term storage of sensitive task details or derived knowledge that users did not expect to persist.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill’s stated purpose is cross-session task memory and recall, but the toolset expands into persistent user profiling and a reusable knowledge base. That broadens collection and retention beyond what users would reasonably expect, increasing the chance that personal preferences, behavioral data, or unrelated information are stored and later surfaced without informed consent.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Persistent user-profile storage is not necessary to remember prior task steps, yet the skill exposes it as a first-class capability across all sessions. This creates unnecessary long-term accumulation of user attributes and preferences, which can reveal sensitive habits or be reused in contexts the user did not intend.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The advanced config documents capabilities that materially expand the skill beyond simple cross-session memory: automatic fact extraction, contradiction handling, multimodal ingestion, and checkpoint persistence. In a memory skill, this scope creep is dangerous because operators may enable broad collection and persistence behaviors that were not clearly disclosed in the manifest, increasing data exposure and trust mismatch.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documentation introduces team-shared and S3-backed memory, extending storage from local per-user persistence to shared or remote persistence. That changes the threat model substantially: more principals can access the data, retention may be longer, and networked storage introduces misconfiguration and data leakage risks not reflected in the stated scope.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
Documented OCR, PDF extraction, and video transcription go well beyond remembering prior operations and can ingest large amounts of sensitive user content from files and media. In the context of an auto-logging memory skill, these features create a path for broad, persistent capture of unrelated personal or confidential data.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
LangGraph checkpoint persistence can store full agent state, not merely operation summaries or session memory. Full state may include prompts, intermediate outputs, tool results, secrets, or user content, so persisting it under a memory feature exceeds user expectations and increases sensitive-data retention risk.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The script implements autonomous forgetting and suppression of stored facts, while the skill metadata emphasizes cross-session memory recording, restoration, and retrieval. In an agent-memory skill, silently downgrading or forgetting prior facts can corrupt continuity, hide historical actions, and undermine auditability or user expectations about retained state.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code marks categories such as preference, person, and project as permanent memory, creating long-lived retention of profile-style information. In a cross-session memory skill, permanent retention of personal or behavioral data without clear necessity, consent, or retention controls increases privacy risk and can exceed the stated functional scope.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Keyword heuristics infer that content mentioning users, preferences, projects, residence, or work should be stored as permanent memory, even when the user did not explicitly request persistent storage. This can cause covert long-term capture of sensitive personal or organizational information from ordinary conversation, which is especially risky in an always-on memory skill.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The hook logs every conversation turn automatically, even though the skill metadata states it should trigger only for specific memory-related phrases and should not trigger when the user explicitly says not to record. This creates unauthorized persistence of user content and defeats user expectations and policy controls, which is especially dangerous in an agent memory component designed to span sessions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The code persists tool invocation inputs and output previews, which expands data collection beyond the manifest's stated purpose of remembering user operations and conversation continuity. Tool arguments and outputs often contain secrets, file contents, tokens, internal paths, or sensitive business data, so this broader capture materially increases exposure.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The skill resolves executable script locations from environment-controlled paths such as SKILL_DIR and ULTRA_MEMORY_HOME. In a shared or weakly controlled runtime, an attacker who can influence environment variables or filesystem layout could redirect execution or data reads to attacker-chosen code or files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal