ClawHub

SQL Memory

Security checks across malware telemetry and agentic risk

Overview

This is a real SQL-backed memory skill, but it exposes broad database mutation and long-term storage behaviors that need careful review before use.

Install only if you intend to give agents durable access to a dedicated SQL memory database. Use least-privilege SQL credentials, avoid production or shared databases, do not store secrets or unnecessary personal data, define retention/deletion rules, and restrict or remove the raw SQL passthrough before allowing autonomous or multi-agent use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises substantial capabilities that depend on environment variables, database/network access, and likely shell-accessed helper scripts, yet the manifest does not declare any permissions or capability boundaries. This creates a transparency and governance gap: operators may approve the skill believing it is lower risk than it really is, while the skill can access sensitive configuration such as SQL credentials and perform remote database operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior omits materially sensitive functionality, especially raw SQL execution passthrough and schema-management operations. In a memory skill, hidden access to execute arbitrary SQL or alter schema dramatically increases risk because agents or integrators may invoke it in contexts that assume only constrained CRUD-style memory operations, enabling destructive changes, data exfiltration, or privilege misuse.

Intent-Code Divergence

Low
Confidence
70% confidence
Finding
Calling ActivityLog an immutable audit trail without any schema- or permission-level immutability guarantees can create a false sense of forensic integrity. If operators rely on this for security monitoring or incident response, an attacker or overly privileged component could alter or delete records and undermine auditability.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation promises an immutable, append-only audit log, but later advertises a legacy raw-SQL passthrough (`mem.execute(raw_sql)`) that could be used to update or delete any table, including `memory.ActivityLog`. That creates a trust-boundary violation: operators or downstream agents may rely on audit integrity that the API surface does not actually enforce.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The document expands the skill's effective scope far beyond SQL memory into agent orchestration, model inference, dashboard APIs, cron jobs, and broader application infrastructure. In an agent skill ecosystem, this kind of scope drift is dangerous because it can socially authorize or normalize actions outside the declared trust boundary, increasing the chance an agent uses the skill for unintended operational control.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
Documenting dispatcher support for GitHub setup, clone, check-in, and security-test tasks introduces capabilities unrelated to a SQL memory skill. This is risky because agents may infer permission to trigger repository operations or security workflows through a component that should only manage data persistence and task state.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Including model-routing and inference behavior in a SQL memory skill blurs the boundary between storage and active AI execution. That increases risk by encouraging an agent to treat the skill as an inference-capable component, which can broaden data exposure, trigger unexpected outbound calls, or enable unauthorized prompt/model use.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The module exposes session and todo management functions that are outside the declared memory/queue/logging/knowledge surface. Undocumented capabilities increase attack surface and can let agents or callers persist, alter, or delete data in ways operators did not authorize or expect, especially because delete_todo performs a hard delete.

Context-Inappropriate Capability

Low
Confidence
92% confidence
Finding
The module walks parent directories to discover and load a .env file, then injects its contents into process environment variables. In an agent setting, this broad secret-loading behavior can unintentionally import unrelated credentials from the workspace or host environment, expanding credential exposure beyond the skill's stated purpose.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The documentation encourages storing user preference data in a persistent memory system without discussing minimization, retention, access control, or consent. In a memory skill whose purpose is long-term storage and search, this increases the chance of unnecessary collection and prolonged exposure of personal data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README prominently describes persistent storage of memories, tasks, activity logs, sessions, todos, and knowledge data, but does not provide a clear privacy, retention, or sensitive-data handling warning. In a memory layer for agents, this increases the risk that operators will store personal data, credentials, prompts, or audit trails indefinitely without considering compliance, minimization, or deletion policies.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The API reference exposes `delete_todo(todo_id)` as a hard delete, but the documentation does not warn that the operation is irreversible or distinguish it from soft-delete patterns used elsewhere. This can lead to accidental data loss, especially in an agent-driven system where destructive actions may be automated or triggered indirectly.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The documentation exposes destructive and state-changing operations such as forget, task completion/failure, rollups, and schema-affecting behavior without warning about irreversibility, retention effects, or recovery expectations. In an agent setting, incomplete safety guidance can lead to accidental deletion or mutation of long-term memory and audit data, especially when autonomous components act on terse API docs.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill is explicitly designed to persist memories, knowledge, sessions, todos, and activity data, but the reference lacks a clear warning about privacy, retention, and handling of potentially sensitive conversational or operational information. In an agent memory system, silent long-term storage materially increases the risk of collecting secrets, personal data, or internal business context without informed use or minimization.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The append-only activity log and persisted session context are presented as normal operational features, but there is no explicit notice that user interactions, metadata, and agent context may be durably logged. This is dangerous because audit and session stores often accumulate sensitive prompts, identifiers, tokens, or behavioral data that are harder to erase once retained.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The deployment steps instruct operators to configure cloud database credentials and run a live query against production-like infrastructure without any warning, safety guardrails, or mention of least-privilege handling. In a skill context, this can nudge agents or users toward connecting to sensitive infrastructure by default and operating on real data unintentionally.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly promotes persistent storage of significant memories and logs across sessions, but provides no privacy notice, retention limits, consent model, or data minimization guidance. In a semantic memory skill, this can lead developers or agents to retain sensitive personal, operational, or authentication-related data indefinitely, increasing exposure in the event of misuse, overcollection, or compromise.

Missing User Warnings

High
Confidence
98% confidence
Finding
The instruction to store "everything" meaningful is especially risky because this skill is designed as a long-lived semantic memory and audit layer, making broad collection a likely implementation choice rather than a vague aspiration. That creates a strong risk of indiscriminate retention of sensitive conversations, personal data, internal reasoning, and secrets without user awareness, which can violate privacy expectations and magnify breach impact.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This script performs schema and table creation against the configured database as soon as it is run, but it does not present a clear destructive-change warning or require explicit confirmation from the operator. In an agent skill context where profiles may point to shared or production databases, accidental execution can modify the wrong environment and create persistent database objects unexpectedly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation advertises destructive and persistent operations such as `forget` and `log_event` without clearly warning that data may be permanently deleted or retained in an audit trail. In an agent skill that manages long-term memory and task history, this omission can cause operators or downstream agents to invoke actions with unintended privacy, compliance, or data-loss consequences.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Silently discovering and loading a nearby .env file can pull database credentials or other secrets into the process without explicit user awareness. In a multi-skill or shared workspace environment, that behavior can cause over-collection of secrets and make accidental credential exposure more likely if other code in the process can read environment variables.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
delete_todo permanently removes records and the code provides no confirmation, audit retention, or user-facing warning despite the module also presenting itself as an audit/logging-capable memory layer. Destructive operations without disclosure or safety controls can enable accidental or unauthorized loss of task history.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal