ClawHub

Clude Memory MCP

Security checks across malware telemetry and agentic risk

Overview

This looks like a real memory MCP skill, but it needs review because it stores long-lived data externally, uses a powerful Supabase key, claims on-chain commitments, and depends on unreviewed runtime package code.

Review before installing. Use a dedicated Supabase project and rotateable secret, inspect and pin the clude-bot package before giving it credentials, avoid storing secrets or sensitive personal data, and require explicit user approval for memory writes, Claude calls with private context, and any Solana commitment behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill advertises itself as a memory MCP, but the documented toolset also includes unrelated capabilities: market/price-state retrieval and an external Claude-backed Q&A function. This kind of capability expansion can mislead users and reviewers about what data leaves the system and what external services are contacted, increasing the risk of unintended data exposure or overbroad trust.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest and description position this as a memory-system MCP server, but the file also exposes a general-purpose chat/persona tool that sends arbitrary user input to an external Claude API. That expands the skill beyond its declared scope, increases data egress risk, and can surprise callers who expect only memory operations. In an MCP context, undeclared capabilities are especially risky because agents may grant trust or permissions based on the advertised purpose.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The market mood/price-state tool is outside the stated purpose of a cognitive memory server and broadens the attack surface with unrelated functionality. Scope drift matters in MCP skills because agents and users may trust the server for one narrow capability while it exposes other data or behaviors that influence downstream decisions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documentation states that memories persist across conversations and are committed to Supabase and Solana, but it does not present a prominent user warning about long-term retention and off-system storage. This is dangerous because users may provide sensitive or regulated information under the assumption of ephemeral chat behavior, when in fact the content may be durably stored and externally committed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill requires `SUPABASE_SERVICE_KEY`, a privileged backend credential, without any warning about its administrative scope or the consequences of misuse. Using a service-role key in an agent-integrated skill materially raises the blast radius of prompt abuse, misconfiguration, or logging leaks, potentially exposing or modifying all data in the backing database.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The store_memory tool persists arbitrary content, summaries, tags, and related user identifiers across conversations without any visible warning, consent flow, retention control, or sensitivity guardrails. This creates privacy and compliance risk because callers may send secrets, personal data, or regulated information that becomes durable state linked to identities.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The recall_memories tool returns full memory content along with tags and user-linked metadata, which can expose previously stored sensitive information to any caller with tool access. In a memory system, retrieval is as sensitive as storage: unrestricted recall can leak private conversation content, identifiers, internal notes, or secrets accumulated over time.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal