ClawHub

pensieve-algorand

Security checks across malware telemetry and agentic risk

Overview

The skill performs the advertised encrypted memory anchoring and recovery workflow, but it handles highly sensitive wallet and memory data so users should configure it carefully.

Install only if you are comfortable giving the skill access to a dedicated Algorand anchoring wallet and an AES note key. Do not reuse a main wallet, keep the wallet low-balance, prefer protected environment variables over local fallback files, secure any .secrets directory, and remember that encrypted memory placed on-chain is effectively permanent if the key is ever exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The architecture explicitly states that the daily anchor payload includes full memory-layer content and is written to Algorand notes, which creates a serious confidentiality risk because episodic, semantic, procedural, and self-model data can contain highly sensitive personal or operational information. Although the document mentions AES-GCM encryption, it provides no user-facing warning, consent boundary, data-minimization control, or key-management caveat; if keys are mishandled, reused, exfiltrated, or future recovery workflows expose plaintext, the blockchain anchoring becomes a durable high-impact disclosure channel.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The runbook instructs operators to call `pensieve_recover(..., restore=True)`, which writes reconstructed files into `memory/recovered/`, but it does not prominently warn that this operation modifies the local filesystem. In an agent or MCP context, a user may reasonably interpret recovery as an inspection or validation step and trigger persistent writes unintentionally, which can overwrite expectations, introduce sensitive recovered data onto disk, or violate least-surprise safety expectations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal