ClawHub
Back to skill

Security audit

DeepRecall

Security checks across malware telemetry and agentic risk

Overview

DeepRecall appears to be a legitimate memory-recall skill, but it can read broad local file contents and send them to external LLM providers with insufficient scoping and consent controls.

Install only if you are comfortable with this skill reading memory and potentially broad workspace files and sending selected content to your configured LLM provider. Prefer using memory-only scopes, exclude sensitive directories and secrets, and verify provider/config settings before running broad recall modes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation describes capabilities that read local files, inspect environment/configuration, make outbound HTTP calls to LLM providers, and invoke a CLI via shell, yet the skill declares no explicit permissions. That mismatch is a real security issue because users and policy engines cannot accurately assess or constrain what the skill will access, and this particular skill handles sensitive memory files and local credential sources, increasing the risk of unintended data exposure.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
`get_context()` concatenates the manifest with the full contents of every discovered file, which turns a discovery/indexing component into a bulk data exfiltration primitive. In an agent skill context, this is risky because any downstream LLM call receiving this context may unintentionally disclose secrets, personal data, or unrelated workspace content far beyond what is needed for memory recall.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The `project` and `all` scopes recursively traverse the workspace and ingest any readable, non-skipped file under a size limit, which is broader than the stated memory-specific purpose. In a persistent agent environment, this materially increases the attack surface by allowing unrelated project files, notes, configs, or embedded secrets to be swept into agent context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends user queries and memory-file contents to an external OpenAI-compatible endpoint via `_chat()` without any explicit consent gate, data-classification check, or warning at the transmission point. Because this skill’s purpose is recursive memory recall over potentially sensitive persistent agent memory, the context makes the issue more dangerous: it can exfiltrate private notes, identity data, project decisions, and other workspace contents to a third-party provider whenever recall is invoked.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
`MemoryFile.__init__` immediately reads full file contents on discovery without any user-facing notice, consent, or minimization step. In this skill's context, where scanned data is intended for LLM ingestion, silent collection is dangerous because users may not realize sensitive workspace material is being loaded and potentially transmitted.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The recursive `project`/`all` scan modes enumerate and ingest broad workspace contents without an accompanying disclosure boundary, making data collection much wider than users would expect from a 'memory recall' skill. Because the skill is designed for persistent AI agents, this mismatch between expected purpose and actual collection behavior makes accidental over-collection and downstream leakage more likely.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.