ClawHub

Heleni Memory Architecture

Security checks across malware telemetry and agentic risk

Overview

This memory skill is relevant to remembering user preferences, but it also tells the agent to create recurring background jobs that can rewrite memory and agent-instruction files and push changes to git.

Install only if you intentionally want a memory system that may create long-running automation. Do not enable the suggested crons unless you are comfortable with unattended edits to MEMORY.md, AGENTS.md, SKILL.md files, and git history. Require human review before commits or pushes, keep secrets out of memory files, and periodically audit inferred [DEDUCED] memories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill’s stated purpose is memory management, but it expands into autonomous cron creation, repository commits/pushes, and even edits to other skill files. This creates capability creep: a memory-writing skill can persistently schedule future actions and modify broader system state, increasing the chance of unintended or unauthorized changes.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The nightly self-review message explicitly instructs the agent to update relevant SKILL.md files, which is outside the declared memory-management function. Allowing a reflective maintenance loop to rewrite operational instructions can lead to self-modifying behavior, silent policy drift, and unauthorized expansion of capabilities over time.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Cron creation and scheduled autonomous execution exceed what is necessary for a memory-writing skill and introduce persistent background behavior. Even if intended for convenience, scheduled runs can perform actions outside the user’s immediate awareness and compound mistakes through repeated autonomous execution.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation description is broad enough to trigger in many ordinary conversations about remembering, summarizing, or long-term context. Over-broad invocation increases the chance that the skill will run unnecessarily, causing excess data retention or edits to memory stores in situations where the user did not intend that level of persistence.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instructions authorize autonomous file modifications and git commits without clearly warning the user that repository state will change. This can result in silent persistence of inferred data, audit noise, or accidental propagation of unwanted changes to version control.

Missing User Warnings

High
Confidence
96% confidence
Finding
The weekly compaction cron automates deletion/rewriting of memory files and performs a git push, yet provides no interactive warning or approval checkpoint. Automated content removal is risky because summarization or deduplication can discard important context, and pushing those changes propagates the damage beyond the local workspace.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal