ClawHub

Remember All Prompts Daily

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it deliberately saves and reuses full conversation history, which can preserve sensitive chats across sessions without strong retention or review controls.

Install only if you want full local conversation memory. Avoid using it for sensitive chats unless you are comfortable with transcripts being stored in ~/.clawd/memory, inspect or delete the archive regularly, and do not run the setup/heartbeat or cron steps unless you want automatic ongoing archiving.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documents file read, file write, and shell-based behavior but does not declare permissions, which weakens user visibility and policy enforcement around what the skill can access. In a skill that persists full conversation history, undeclared capabilities materially increase risk because the agent may handle sensitive data without explicit authorization boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented purpose is session continuity, but the behavior expands into persistence and automation mechanisms not clearly disclosed, including heartbeat modification, cron guidance, and hidden local state files. This mismatch is dangerous because users may consent to summarization or continuity without realizing the skill also establishes recurring triggers and writes additional artifacts that broaden retention and exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill proposes archiving all prompts and responses to persistent local storage without a prominent warning that sensitive data, secrets, personal information, and past assistant outputs may be retained. This creates a real privacy and data retention vulnerability because users may unknowingly cause long-lived storage of information that would otherwise expire with the session.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script persistently writes full session history, including prompt text, into a local archive under the user's home directory without any consent, warning, minimization, or redaction. Because prompts often contain secrets, personal data, internal instructions, or sensitive business context, this creates a durable local disclosure path that expands the blast radius of any host compromise, backup exposure, or accidental file sharing.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script persists archived prior-session content into a new hidden file without any consent prompt, warning, minimization, or retention control. Because the archived data may contain sensitive prompts, secrets, or personal data, duplicating it to disk increases the exposure surface and creates an additional artifact that could be read by other local tools, backups, or users.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
The script writes to ~/.clawd/HEARTBEAT.md automatically during setup without explicit confirmation, which is an integrity-impacting side effect on a user configuration/state file. In the context of a skill designed to persist and restore prompt history, automatic modification of an agent-controlled file increases risk because it can silently influence later agent behavior and persistence mechanisms without clear user consent.

Ssd 3

High
Confidence
97% confidence
Finding
The skill's core design is to archive all prompts and responses and later re-ingest them into future sessions, creating intentional cross-session retention of potentially sensitive user content. That is dangerous because secrets, personal data, or prior sensitive instructions can persist beyond their original context and be resurfaced later when no longer appropriate.

Ssd 3

High
Confidence
98% confidence
Finding
Saving the complete session history, including all prompts and responses, creates a durable record of everything discussed, which may include credentials, personal information, proprietary material, and sensitive assistant outputs. Because the archive is intended for later reuse, the risk is not just storage exposure but also repeated re-disclosure across future sessions.

Ssd 3

Medium
Confidence
94% confidence
Finding
The example archive format explicitly preserves all prompts and responses from each session, indicating full-fidelity retention rather than minimal continuity metadata. This increases the blast radius of any local compromise or accidental disclosure because the archive becomes a comprehensive log of user-assistant interactions over time.

Ssd 3

High
Confidence
97% confidence
Finding
Reading the archive and injecting the most recent session back into context can re-expose previously stored sensitive material to later prompts, tools, or outputs. This is especially risky because old data may be pulled into new tasks unintentionally, defeating expectations of data minimization and increasing the chance of secondary leakage.

Ssd 3

Medium
Confidence
84% confidence
Finding
The manual instruction to display the tail of the archive encourages direct terminal exposure of retained conversation content, which may reveal sensitive data on screen, in logs, or to nearby observers. While lower severity than automatic persistence, it still normalizes unsafe handling of archived transcripts containing potentially confidential information.

Ssd 3

Medium
Confidence
97% confidence
Finding
The stated purpose of the script is to archive all prompts from a session to persistent storage, which is itself a data-retention mechanism for potentially sensitive natural-language content. In the context of an agent skill, this is more dangerous because users may not expect entire conversations and system/user prompts to be retained across sessions, increasing privacy and confidentiality risk.

Ssd 3

Medium
Confidence
98% confidence
Finding
This code loops over the entire session history and serializes message text into a persistent 'remember-all-prompts' archive, implementing broad collection and retention exactly as the finding describes. The skill context makes this more dangerous, not less, because preserving continuity across compaction cycles incentivizes systematic capture of all prior prompts, including content that should be ephemeral or access-limited.

Ssd 3

Medium
Confidence
95% confidence
Finding
The function wraps archived conversation text as authoritative 'PREVIOUS SESSION CONTEXT' and instructs the next session to 'Continue naturally from here,' effectively treating untrusted archived content as trusted context. In this skill, prior prompts are explicitly preserved across sessions, so prompt-injection or sensitive instructions embedded in the archive can be reintroduced and influence later behavior while also re-exposing user data.

Ssd 3

Medium
Confidence
96% confidence
Finding
The script prints the full previous-session content to the console and reports it as 'loaded' context, which can disclose sensitive information on screen, in terminal scrollback, logs, recordings, or shared shells. Given the skill's purpose of archiving all prompts daily, the printed content is especially likely to include private or security-relevant material from earlier sessions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal