Clude Memory

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed persistent-memory integration, with privacy and installer risks that are expected for its purpose rather than hidden or deceptive behavior.

Install only if you want your agent to keep long-term memory. Prefer local mode for private work, avoid storing secrets or sensitive personal details, periodically review and delete memories, and use cloud mode only if you are comfortable with memory data syncing outside the local machine.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The instruction to call `remember` naturally during conversations encourages broad, routine persistence of conversational data without strong gating. In context, this can lead agents to over-collect personal, sensitive, or unnecessary information, especially because the skill is explicitly designed as persistent long-term memory.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: Directing the agent to recall user information at the start of every session normalizes automatic retrieval of potentially sensitive personal context without a fresh user request. In a memory skill, this increases privacy risk, inappropriate profiling, and accidental exposure of stale or sensitive information into unrelated conversations.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal