ClawHub

memory-pro

Security checks across malware telemetry and agentic risk

Overview

Memory Pro is mostly a legitimate local memory-search tool, but it needs Review because it indexes broader private workspace content than clearly described and can send memory snippets to remote reranking endpoints if enabled.

Before installing, narrow MEMORY_PRO_DATA_DIR, MEMORY_PRO_EXTRA_MD_DIRS, and MEMORY_PRO_CORE_FILES to only content you intend to index. Keep remote reranking disabled unless you trust the endpoint and accept that search queries and selected memory snippets may leave your machine. Store generated index artifacts in a private local directory and do not sync or share them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (28)

Tainted flow: 'INDEX_FILE' from os.getenv (line 17, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def save_index(index):
    INDEX_FILE.parent.mkdir(parents=True, exist_ok=True)
    with open(INDEX_FILE, 'w', encoding='utf-8') as f:
        json.dump(index, f, ensure_ascii=False, indent=2)

def search(query):
Confidence
94% confidence
Finding
with open(INDEX_FILE, 'w', encoding='utf-8') as f:

Tainted flow: 'url' from os.getenv (line 27, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
for attempt in range(MAX_RETRIES):
        try:
            # Send POST request
            response = requests.post(url, json=payload, headers=headers, timeout=TIMEOUT)
            response.raise_for_status()
            return response.json()
Confidence
94% confidence
Finding
response = requests.post(url, json=payload, headers=headers, timeout=TIMEOUT)

Tainted flow: 'endpoint' from os.getenv (line 54, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"documents": [c.get("sentence", "") for c in work],
            "top_n": topn,
        }
        r = requests.post(endpoint, json=payload, headers=headers, timeout=timeout_ms / 1000)
        r.raise_for_status()
        data = r.json()
        # jina 常見格式: {results:[{index,relevance_score},...]}
Confidence
96% confidence
Finding
r = requests.post(endpoint, json=payload, headers=headers, timeout=timeout_ms / 1000)

Tainted flow: 'endpoint' from os.getenv (line 76, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"documents": [c.get("sentence", "") for c in work],
            "top_n": topn,
        }
        r = requests.post(endpoint, json=payload, headers=headers, timeout=timeout_ms / 1000)
        r.raise_for_status()
        data = r.json()
        rows = data.get("results", data.get("data", []))
Confidence
97% confidence
Finding
r = requests.post(endpoint, json=payload, headers=headers, timeout=timeout_ms / 1000)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The manifest presents the skill as a simple local semantic search tool, but it clearly requires broad capabilities including environment access, file reads/writes, and network-related behavior. This weakens user consent and review because the declared scope does not accurately communicate the privilege surface, increasing the risk of over-privileged deployment and unintended data exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose says the skill provides semantic search over memory files using a local vector database, but the behavior described is materially broader: legacy keyword indexing, additional file sources, a long-running HTTP API, benchmarking tooling, and optional remote reranking. That mismatch is dangerous because users may grant access believing the skill is local and limited, while it can process more data and communicate beyond the stated scope.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is described as local semantic search, but it actually depends on a continuously running local API service bound to a fixed port. Exposing a service increases the attack surface because other local processes may access it, and a fixed port can create collisions, hijacking, or unauthorized query access if not authenticated and documented.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The manifest includes remote reranker provider settings, endpoint configuration, timeout controls, and an API key, which directly contradicts the claim of a purely local vector database. If enabled, search content or derived memory data may be transmitted to third-party services, creating confidentiality and compliance risks for sensitive memory files.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill description says it performs local semantic search over memory files, but the implementation actually sends queries over HTTP to a separate service. That mismatch is security-relevant because users may reasonably assume their memory contents stay local and never traverse a network interface, reducing informed consent and trust boundaries.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Allowing arbitrary endpoint override through both environment variable and --url means the skill can be redirected to any remote host, not just a local vector database. In this context, the transmitted search queries likely contain sensitive memory content, so the override materially increases the chance of silent exfiltration beyond the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The --api argument allows an operator or downstream wrapper to direct queries to any HTTP endpoint, which can send potentially sensitive memory-search queries to non-local services. In a skill intended for local memory search, this broad network capability expands trust boundaries and creates an exfiltration/SSRF-like risk if misused or invoked in an unexpected environment.

Description-Behavior Mismatch

Medium
Confidence
78% confidence
Finding
The skill is described as semantic search over memory files, but this component materializes multiple local artifacts containing the full memory corpus and metadata. That broadens data exposure beyond what users may reasonably expect from a search feature, increasing the chance of unintended disclosure through leftover files, backups, or other local processes.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code writes a plaintext corpus of all indexed memory text plus a detailed metadata file including source information, timestamps, scope, and tags. For a memory-search skill, this creates an unnecessary secondary copy of sensitive user data that can increase privacy risk and make exfiltration or accidental exposure easier.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The preprocessing logic goes beyond the skill's stated purpose of searching 'memory files' by also ingesting workspace docs, self-improvement learnings, and top-level core files. In an agent context, this broadens the data boundary silently and can expose unrelated sensitive project or agent state into the memory index, making later retrieval leakier than users would reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code reads broad workspace and agent-related files such as .learnings, docs, and top-level files like AGENTS.md or USER.md without a narrowly scoped justification tied to semantic memory search. This creates unnecessary access to potentially sensitive operational or instruction data, which may then be embedded and surfaced through later queries.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code contradicts the stated behavior of providing local semantic search by transmitting the query and memory sentences to remote rerank services. This mismatch is dangerous because users may expose sensitive memory contents under the false assumption that processing remains local.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Supporting arbitrary external rerank providers introduces unnecessary network capability for a local memory search skill. That broad capability expands the attack surface, allowing sensitive memory data to be sent to untrusted hosts and making misuse materially more dangerous in this skill context.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The markdown enumerates extensive environment-variable and credential access, including a reranker API key, but does not warn users that the skill can handle sensitive configuration and potentially externalize search data. This is a security transparency problem that can lead to accidental exposure of secrets or memory contents during setup and operation.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The troubleshooting guidance recommends killing whatever process is using port 8001 via `kill $(lsof -t -i:8001)` without warning or validation. That can terminate unrelated local processes and can be abused or misused in environments where port ownership is ambiguous, causing denial of service or disruption.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The script transmits each benchmark query to an HTTP service without any disclosure at runtime, and those queries may reflect sensitive memory contents or user-derived prompts. Even though the default is localhost, the code also supports arbitrary endpoints, so silent transmission can lead to unintended data exposure.

Vague Triggers

Medium
Confidence
94% confidence
Finding
These trigger entries are very short and generic, such as product names or common phrases, which makes accidental activation likely during unrelated user conversations. In a memory-search skill, overbroad activation can expose private stored memories or route user input into retrieval flows the user did not clearly intend to invoke.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Queries like weather locations and messaging-related terms are ambiguous and commonly appear in normal conversation, so they can spuriously match this skill's activation or evaluation logic. Because the skill searches memory files, ambiguous triggers increase the chance of unintended memory access or context mixing when the user is asking about something else entirely.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Filename-like terms and broad workflow phrases are especially risky because they overlap with common project artifacts and routine discussion, making false activations probable. In the context of a semantic memory system, this can cause unauthorized or surprising retrieval of internal notes, status files, or operational details from the user's stored memory corpus.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill reads potentially sensitive workspace files and directories with no in-code disclosure, consent flow, or visible warning that these sources are being indexed. In practice, users may believe only memory notes are searched while the system also processes broader workspace and agent metadata, increasing the risk of inadvertent data exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code derives paths from environment variables and resolves them into filesystem locations without any user-facing notice or strong confinement to a narrow approved directory. This allows deployment configuration to silently expand the indexed corpus to sensitive workspace areas, making the eventual retrieval layer a potential disclosure channel.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal