ClawHub

Memory Oracle

Security checks across malware telemetry and agentic risk

Overview

Memory Oracle is a disclosed persistent-memory skill, but it deserves Review because it automatically stores and reuses conversation/session data and can send retained memory to Anthropic when heavy mode is enabled.

Install only if you intentionally want broad cross-session agent memory. Start without cron and without ANTHROPIC_API_KEY unless external LLM processing of memory/logs is acceptable, avoid storing secrets or regulated data, periodically inspect and prune the SQLite database/MEMORY.md/logs, and be careful before allowing reflected memories to become guardrails.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly instructs the agent to read and write local files, access environment variables, and optionally make network calls to Anthropic, yet it declares no explicit permissions. This creates a transparency and policy-enforcement gap: operators may install or invoke it without realizing it can persist data, modify memory artifacts, schedule tasks, and exfiltrate logs or memory state to an external API.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
When --workspace is supplied, the installer silently rewrites config/settings.json, which is a persistent configuration file. This contradicts the later messaging that the installer does not auto-edit configuration and can cause unexpected behavior or trust violations, especially in automation or shared environments.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes very common phrases such as 'memory,' 'remember,' 'recall,' 'context loss,' and 'pick up where we left off,' which can match ordinary conversation rather than an intentional request to activate a persistent memory subsystem. In this skill, accidental activation is more dangerous because the LIGHT process stores conversation content to SQLite and the HEAVY process may later transmit summaries or logs to an external model provider.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installer persists user-supplied workspace values into config/settings.json without an explicit notice that a durable config file will be changed. That makes the install process non-transparent and increases the risk of accidental misconfiguration or persistence that survives future runs.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The function writes conversation text to a persistent daily markdown log in plain language, including user-provided content, without any consent, warning, or minimization shown in this file. In a memory skill whose purpose is long-term retention, this increases privacy risk because sensitive prompts, secrets, or personal data may be silently persisted to disk and later exposed through filesystem access, backups, or other tools.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Extracted facts are inserted into SQLite with persistent retention and high-confidence metadata, but there is no evidence here of consent, classification, or filtering for sensitive data. Because the skill is specifically designed to remember information across sessions, this creates a real confidentiality risk if credentials, personal details, or confidential business context are captured and retained indefinitely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script automatically persists SESSION-STATE.md contents or arbitrary --text input into SQLite during a memory flush/checkpoint flow, but there is no disclosure, consent, filtering, or minimization step before storage. In a long-running agent context, session state can easily contain secrets, personal data, credentials, or sensitive operational context, so silent durable retention increases privacy and data-exposure risk beyond the user's apparent expectations.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script sends full daily log contents to an external LLM service for consolidation, but this file provides no explicit consent, warning, redaction, or sensitivity filtering before transmission. In a persistent memory skill, daily logs are especially likely to contain sensitive personal, operational, or secret material, making silent export to a third party a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The export function writes the complete memory state, including facts, guardrails, reflections, and operational statistics, to an arbitrary user-supplied path in plaintext JSON. In the context of a persistent agent memory system, this data is likely to contain sensitive long-term context, personal data, credentials, rules, or internal workflow details, so exporting it without access controls, destination restrictions, or encryption creates a meaningful confidentiality risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code records each recalled fact ID together with up to 200 characters of the user's query in `access_log` without any indication here of user notice, minimization, or consent. In a persistent memory skill whose purpose is to retain cross-session context, this increases privacy risk because sensitive prompts, secrets, or personal data can be silently stored and later exposed through the database, backups, or debugging workflows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends structured memory content, including daily facts and prior reflections, to an external LLM API without any explicit user consent, disclosure, redaction, or policy gate at the call site. In a persistent memory skill, this is more dangerous because stored facts may contain sensitive cross-session data, secrets, personal information, or internal guardrails that users may not expect to leave the local system.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Weekly deep reflection transmits a broader aggregation of persistent memory, historical reflections, and access-log-derived usage patterns to an external API without clear disclosure or approval. Because this skill is specifically designed for long-term memory retention, the exported dataset can reveal sensitive longitudinal behavior, priorities, and hidden contextual information, increasing privacy and data-exfiltration risk.

Ssd 3

Medium
Confidence
97% confidence
Finding
The AGENTS.md snippet instructs the agent to store and later reuse full turn text and query against prior user messages in persistent memory. In a memory skill, this materially increases privacy and data retention risk because sensitive user content, credentials, or regulated data may be captured wholesale and surfaced in later contexts without minimization or consent boundaries.

Ssd 3

Medium
Confidence
93% confidence
Finding
This script persistently logs raw conversation text to markdown and stores extracted facts in SQLite in plain language, creating a built-in retention surface for sensitive content. In the context of a long-term memory skill, that is more dangerous than in a transient tool because the whole feature is designed to survive sessions, compaction, and workflow restarts, increasing exposure duration and blast radius if local files or the database are accessed by other processes or users.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal