ClawHub

getmem.ai Memory

Security checks across malware telemetry and agentic risk

Overview

The plugin openly provides remote persistent memory, but it automatically sends and stores user conversations with broad default scope and limited user control.

Install only if you intend to share user conversations and assistant replies with getmem.ai for persistent memory. Confirm privacy, retention, deletion, and compliance requirements first; avoid regulated or secret-bearing conversations unless you have explicit user/admin approval and a clear policy for disabling or scoping memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly performs external network operations ('fetches memory context' and 'ingests the exchange') but does not declare corresponding permissions. This creates a transparency and governance gap: operators may install a skill that can transmit data off-platform without seeing an explicit permission boundary, increasing the chance of unintended data exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly states that the plugin automatically ingests conversations and sends the full exchange to a third-party memory service, but it does not provide a clear privacy warning, consent requirement, or guidance on sensitive-data handling. In the context of an agent plugin that processes user chats, this is dangerous because operators may enable it without realizing that user content is being persistently transmitted off-platform and retained over time.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description promises behavior that is effectively always-on ('automatically ingests conversations' and injects context 'before each agent reply') without clear trigger constraints or scoping. Broad automatic activation increases the chance that sensitive or irrelevant conversations are processed and sent externally, especially in multi-user or mixed-sensitivity environments.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation states that conversation exchanges are automatically ingested into an external service, but it does not provide an explicit privacy warning, data-handling notice, or consent guidance. Because the plugin operates on every reply and persists user memory, it can transmit sensitive personal, business, or secret data to a third party without users fully understanding the privacy implications.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code transmits complete user and assistant message content to a third-party service for ingestion, creating a real privacy and data-governance risk. Even if this is the plugin's intended feature, the implementation performs external exfiltration of conversation data without any built-in consent, minimization, redaction, or disclosure mechanism in the skill itself.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
On every received message, the plugin sends raw inbound user content to the remote memory API to retrieve context. This exposes potentially sensitive prompts and identifiers to a third party before any filtering or consent checks, which is especially risky because it happens automatically for all messages.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The plugin explicitly states that it persistently stores per-user conversation memory and injects that memory before each LLM call, but this declaration file shows no indication of user disclosure, consent, or controls around that data flow. In an agent/plugin context, silent persistence and automatic reinjection of prior conversations can expose sensitive user data unexpectedly and create privacy and compliance risks, especially if operators install it without clearly informing end users.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The plugin sends both the user's message and the assistant's reply to an external service for storage, creating a data exfiltration/privacy risk if users have not explicitly consented or if sensitive content is included in conversations. In this skill's context, the behavior is core functionality ('persistent memory for every user') and applies broadly to all sessions, which makes the exposure systematic rather than incidental.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The memory lookup sends a user identifier and current message content to a remote API before generating a reply, exposing potentially sensitive prompts and stable identifiers to a third party. Because this occurs automatically on every inbound message, the skill context increases risk: it is pervasive, silent in code behavior, and can affect all users of the agent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The description claims the plugin 'automatically remembers users across sessions,' which implies broad, persistent operation without stating when memory capture occurs, what data is stored, or what boundaries limit activation. In a memory plugin, vague always-on language increases the risk of collecting and transmitting sensitive conversation content beyond user expectations, especially because the metadata provides no trigger constraints or scoping controls.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The description explicitly promises 'Persistent memory for every user' and 'automatically remembers users across sessions' without any indication of consent, opt-in, or user-level control. Because this skill is designed to ingest conversations into a third-party memory service, the lack of user choice materially raises privacy and compliance risks by enabling silent cross-session profiling and storage of potentially sensitive data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The plugin sends full user and assistant message content to a third-party service for persistent storage, but the code contains no user notification, consent flow, minimization, or policy guardrails. In a memory plugin this behavior is functionally intended, but it still creates a real privacy and data-sharing vulnerability because sensitive conversation content may be exported off-platform without user awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The plugin transmits the current user message to an external API during memory lookup, again without any visible disclosure or consent mechanism in the code. Even though this is necessary for semantic retrieval, it exposes potentially sensitive prompts to a remote service before the agent responds.

Ssd 3

Medium
Confidence
96% confidence
Finding
The plugin persistently stores full user and assistant exchanges in an external memory service, which can accumulate sensitive personal, business, or credential-like data over time. Persistent third-party storage increases breach, misuse, retention, and cross-session privacy risks even if the service is functioning as designed.

Ssd 3

Medium
Confidence
90% confidence
Finding
Remote memory returned by the service is injected directly into the model context, which can resurface previously stored sensitive information in later interactions. This also creates a prompt-injection style risk if stored memory contains adversarial instructions or misleading content, because the plugin prepends it into the active conversation without validation.

Ssd 3

Medium
Confidence
96% confidence
Finding
The ingest path persistently stores complete conversational turns externally, creating a durable repository of plain-language user and assistant content. This increases risk of privacy leakage, compliance violations, and downstream exposure if the third-party service, logs, or account are compromised or misconfigured.

Ssd 3

Medium
Confidence
93% confidence
Finding
Retrieved memory is automatically appended into the model input, which can resurface old sensitive data in future responses or influence the model with stale or attacker-seeded content. In this plugin's context, automatic memory injection is the core feature, which makes the issue more dangerous because every inbound message can silently reintroduce prior secrets or prompt-injection-like memory entries.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal