Back to skill

Security audit

VectorClaw

Security checks across malware telemetry and agentic risk

Overview

VectorClaw is a disclosed self-hosted memory database, but it needs Review because it persists broad sensitive user profiles and agent reasoning while relying on operator-controlled consent, retention, and credential safeguards.

Install only if you intentionally want a self-hosted agent memory system that can store sensitive inferred user profiles. Before enabling it, require explicit per-user opt-in, keep auto-extraction in dry-run or human-review mode until validated, disable or remove thought_stream chain-of-thought logging, protect and rotate database credentials, run migrations only after backups, and test retention plus deletion behavior on non-production data first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (24)

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The guide states that Python scripts no longer contain hardcoded passwords, but the document elsewhere still demonstrates inline secrets and weak secret-handling patterns. This can normalize copying credentials into shell history, environment exports, Docker arguments, or docs, leading to accidental disclosure and inconsistent secret management.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The changelog explicitly documents creation of a `.env` file containing concrete MySQL credentials (`root` / `29361775`), which contradicts repeated claims that no passwords exist in files. Even though this is a changelog, it evidences that the skill at one point embedded live-style credentials and normalized storing secrets in a skill directory, creating high risk of credential compromise and privileged database access if replicated or left in distributed artifacts.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The schema persists internal agent reasoning in `thought_stream` and stores self-improvement state in `agent_learnings`, which exceed ordinary user-profile storage and create a sensitive repository of model internals and user-linked decision traces. If compromised, misused, or queried by other components, these tables can expose hidden reasoning, inferred traits, operational logic, and sensitive user associations that were likely never intended for durable storage.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The schema expands into behavioral surveillance and community analytics through tables such as `user_engagement_patterns`, `user_activity_heatmap`, `proactive_reminders`, `community_sentiment`, `trending_topics`, and `community_events`. This broadens collection far beyond basic functionality and enables detailed profiling, inference, and monitoring of both individual and group behavior, increasing harm from misuse, overcollection, or breach.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script asserts it is safe for production because it uses IF NOT EXISTS, but that claim is misleading: the ALTER TABLE ... MODIFY COLUMN operation is not guarded and can lock or rewrite the table, fail on incompatible existing data, or change application behavior. In a database upgrade context, operators may rely on the comment and run it in production without proper review, increasing the risk of downtime or failed migrations.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script explicitly claims it is safe to rerun in production because it uses idempotent operations, but the ALTER TABLE statements adding columns and modifying ENUM definitions are not guarded with existence checks and will fail on subsequent executions. In an upgrade workflow, this can break automated deployments, leave migrations in a partially applied state, and cause operational outages or rollback complications.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The script claims passwords are never placed on the command line, but it repeatedly invokes mysql with -p"$PASSWORD", exposing secrets in process arguments. On many systems, command-line arguments may be visible to local users via process listings, shell history capture tooling, logs, or debugging/telemetry, which can leak database credentials.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide instructs operators to run auto-extraction and consolidation over conversation data, which processes potentially sensitive personal content without an immediate privacy warning, review workflow, or consent guard in that section. In an agent skill handling user interactions and memory, this increases the risk of over-collection, profiling, and retention of personal data.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The skill explicitly documents storage of agent reasoning logs / chain-of-thought alongside user data. Persisting internal reasoning can expose sensitive user details, hidden prompts, security logic, and intermediate model reasoning that should not be retained or surfaced, creating substantial privacy and prompt-leakage risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The changelog shows the intentional addition of emotional tracking, engagement analysis, activity heatmaps, reminders, trend analysis, agent learnings, and reasoning logs without any visible notice, disclosure, or consent language. While lack of comments alone is not a code exploit, in this context it signals undisclosed collection of sensitive profiling data and raises the risk of deceptive or non-transparent data practices.

Missing User Warnings

High
Confidence
96% confidence
Finding
Persisting a `thought_stream` table for internal reasoning is especially dangerous because model reasoning may contain sensitive user data, hidden prompts, security-relevant logic, speculative inferences, or unsafe intermediate analysis that should never be stored or exposed. In a skill context, durable reasoning logs materially increase the blast radius of compromise and can leak information that normal application logs would not contain.

Missing User Warnings

High
Confidence
93% confidence
Finding
This script performs irreversible deletion across many user-data tables and relies on manual replacement of the ':user_id' placeholder before execution, but it contains no built-in confirmation, transaction guard, environment validation, or safety checks. In an agent skill or operational workflow, this makes accidental or incorrect execution highly dangerous, potentially causing broad data loss for the wrong user or multiple records if the substitution is mishandled.

Natural-Language Policy Violations

Low
Confidence
88% confidence
Finding
The content explicitly promotes analysis of personal, emotional, and health-related memories such as sentiment trends, health topics, and feelings about identified people, but provides no visible consent, opt-in, retention, or policy framing. In an agent-memory skill, this can normalize collection and inference over sensitive personal data without adequate safeguards, increasing privacy and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This file performs a direct UPDATE against wp_posts and overwrites post_content for a specific page ID without any in-file warning, migration note, backup step, or rollback guidance. While not exploit code by itself, it is a destructive content-modification operation that could unintentionally replace production content or be repurposed to deface pages if applied in the wrong environment.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The page explicitly states that facts are extracted from every conversation turn, which indicates persistent processing of potentially sensitive user content without any mention of consent, opt-in controls, or scope limits. In the context of an agent memory skill, this increases privacy and data-minimization risk because users may not expect all interactions to be retained and structured into long-lived memory.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The marketing text promotes automatic extraction of conversation facts but omits any privacy warning, retention notice, or handling limitations. For a memory product that stores user-derived facts, this omission can mislead deployers and end users about surveillance, retention, and secondary use of personal data.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill explicitly enables collection and retention of personal, emotional, behavioral, and inferred user data, but the documentation does not present a prominent privacy warning, consent UX, or clear user-facing disclosure of surveillance and retention risks. In a community-memory skill, this omission can lead to overcollection, undisclosed profiling, and noncompliant handling of sensitive personal data even if the author intended legitimate functionality.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script silently persists live database credentials into a local .env file, increasing the risk of accidental disclosure through backups, source control, artifact collection, or later misuse by other tools. Although chmod 600 helps, it does not address the core issue that sensitive credentials are being written to disk without explicit user consent or lifecycle controls.

Ssd 3

High
Confidence
99% confidence
Finding
The skill is designed to automatically extract, infer, and persist highly sensitive personal data from conversations, including emotional, health, relationship, and behavioral profiles. Even with consent language, this creates a large privacy and abuse surface because inferred sensitive attributes and broad retention can materially harm users if access controls fail, consent is imperfect, or the data is repurposed.

Ssd 3

High
Confidence
98% confidence
Finding
Automatically extracting atomic facts from conversation text and inserting them into long-term memory is dangerous because it operationalizes large-scale surveillance and persistence of user content, including potentially sensitive or incorrect inferences. The fallback regex extraction and direct insertion pipeline increase the chance of overcollection, misclassification, and storage of data the user never intended to be memorialized.

Ssd 3

Medium
Confidence
90% confidence
Finding
This content encourages persistent collection and retention of user-provided information as a product benefit, including automated extraction and structured memory storage. In skill context, that materially raises the likelihood of over-collection, privacy violations, and retention of sensitive or regulated data without appropriate boundaries.

Ssd 3

Medium
Confidence
88% confidence
Finding
The slogan 'Remember everything' semantically promotes indiscriminate retention of all user inputs. While it is marketing copy rather than executable logic, it normalizes unsafe defaults in a context involving conversational memory and can encourage operators to deploy the system without privacy guardrails.

Credential Access

High
Category
Privilege Escalation
Content
DATABASE_VAL="mysqlclaw"
DOCKER_CONTAINER="myvector-db"

if [ -f "$SCRIPT_DIR/.env" ]; then
    while IFS='=' read -r key val; do
        [[ "$key" =~ ^[A-Za-z_][A-Za-z0-9_]*$ ]] || continue
        [[ -z "$key" || "$key" =~ ^# ]] && continue
Confidence
86% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
MYSQL_PORT)     MYSQL_PORT_VAL="$val" ;;
            DATABASE)       DATABASE_VAL="$val" ;;
        esac
    done < <(grep -v '^[[:space:]]*#' "$SCRIPT_DIR/.env" | grep '=')
fi

# --- FAIL CLOSED: refuse to connect without credentials ---
Confidence
86% confidence
Finding
.env"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.