ClawHub
Back to skill

Security audit

Mem Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local memory skill that persistently stores approved knowledge, with notable privacy and optional dependency risks but no evidence of deception, exfiltration, or destructive behavior.

Install this only if you want persistent agent memory in the workspace. Review recording prompts before approving, keep secrets and sensitive personal or business data out of saved entries, periodically inspect or delete the knowledge-base, experience, and log files, prefer project-scoped QMD collections, and verify the optional QMD package/MCP daemon before enabling them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The ingest feature materially expands the skill from local memory management into arbitrary external content acquisition via URLs and directory processing. That broader behavior increases the attack surface for prompt injection, untrusted content import, and unintended persistence of external data into the workspace knowledge base.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill invokes external commands like which, npx, npm, qmd, and embedding operations as part of normal behavior, which is broader and riskier than simple memory storage. Shelling out introduces command execution and supply-chain exposure, especially when installation is suggested and names/arguments may derive from user-controlled input.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Allowing arbitrary URL fetching adds network retrieval capabilities that are not clearly bounded by the memory skill's stated purpose. Untrusted web content can contain prompt-injection instructions or sensitive data that the skill may summarize and persist, expanding both security and privacy risk.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The init script goes beyond creating local workspace files and can install, configure, and interact with an external QMD system. That expands the trust boundary significantly: running the skill may modify global tooling state, register external collections/contexts, and execute third-party binaries, which is risky for a skill presented as memory initialization. The skill context makes this more dangerous because it is intended to run automatically at the start of many tasks, increasing the chance users invoke side-effecting behavior without fully reviewing it.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script can perform `npm install -g @tobilu/qmd`, which installs third-party software globally on the host. Global package installation changes system state outside the workspace and executes package install scripts from the npm ecosystem, creating supply-chain and privilege-risk exposure that is disproportionate for a memory-initialization skill. Because this skill is advertised for routine use whenever starting tasks, the likelihood of an unsuspecting user approving the install is higher.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The README explicitly states the skill runs on every conversation turn as a background meta-skill and should be used whenever starting any task or triggering any other skill. That broad activation scope creates excessive access to user prompts and agent context, increasing the chance of unintended data collection, prompt interference, and unsafe propagation into unrelated tasks.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Using vague phrases like 'It is OK' as a completion cue can easily collide with ordinary conversational language. This can trigger unsolicited recording flows or state transitions based on ambiguous user text, causing unintended persistence of conversation content or workflow actions.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The documented core loop treats a generic phrase like 'it is OK' as evidence of successful task completion, which is too imprecise for security-sensitive behavior. In a system that writes to persistent memory, ambiguous completion detection can cause accidental storage, cross-task contamination, or capture of sensitive information without clear intent.

Vague Triggers

High
Confidence
98% confidence
Finding
The instruction to use this skill whenever starting any task, opening a new conversation, or triggering any other skill makes it effectively omnipresent. That greatly increases the chance of unnecessary file reads, logging, persistence of sensitive conversation content, and accidental invocation in contexts where memory storage is inappropriate.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The description markets the feature as a helpful second brain but does not clearly disclose that it persistently records conversation-derived data into workspace files and logs. Users may therefore share information without informed consent, not realizing it may be stored long-term.

Ssd 3

Medium
Confidence
94% confidence
Finding
The recordnow flow directs the agent to review the full conversation history and summarize completed tasks into persistent records. This creates a structured path for retaining user-provided content, including possibly sensitive details that were shared only transiently during the conversation.

Ssd 3

Medium
Confidence
98% confidence
Finding
The mandatory core loop silently accumulates per-turn memory state, reads/writes persistent knowledge stores, and proactively records conversation-derived information. Because this happens every turn and includes user preferences and session details, the skill normalizes covert retention and increases the likelihood of storing sensitive data without meaningful consent.

Ssd 3

Medium
Confidence
96% confidence
Finding
The recording criteria explicitly encourage storing user preferences, style rules, prompts, workflows, dependency locations, and project paths, all of which can reveal sensitive operational or personal context. Persisting that information in plain markdown/json files raises confidentiality risk and can aid later social engineering or targeted attacks if the workspace is exposed.

Session Persistence

Medium
Category
Rogue Agent
Content
You just ask for what you need. mem-skill reads the knowledge base automatically:

```
You:   Help me write a simple landing page about NVDA stock introduction
Agent: [reads knowledge-base/_index.json — looking for matching categories]
       ...builds the page...
       Created nvda-landing.html
Confidence
90% confidence
Finding
write a simple landing page about NVDA stock introduction Agent: [reads knowledge-base/_index.json — looking for matching categories] ...builds the page... Created nvda-landing.html ```

Session Persistence

Medium
Category
Rogue Agent
Content
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  Step 1: Extract Keywords                                        │
│     "help me write a landing page about NVDA stock"              │
│     → keywords: [landing-page, NVDA, stock, HTML, introduction]  │
│                                                                  │
│  Step 2: Detect Topic Switch                                     │
Confidence
91% confidence
Finding
write a landing page about NVDA stock" │ │ → keywords: [landing-page, NVDA, stock, HTML, introduction] │ │ │ │ Step

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal