ClawHub
Back to skill

Security audit

Memory Lesson Manager

Security checks across malware telemetry and agentic risk

Overview

This is a local lesson-memory management skill whose file-writing behavior is disclosed and aligned with its purpose, though users should be careful with migration and rollback commands.

Install only if you want a workspace-local memory system and are comfortable with scripts creating, editing, moving, and archiving files under memory/, state/, and skills/. Use dry-run modes first, keep backups before migration, and review the rollback rm -rf commands carefully before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
79% confidence
Finding
The skill advertises multiple shell-capable helper scripts and mentions semantic search, but it does not declare the permissions or capabilities those operations require. Undeclared shell and possible network behavior weakens transparency and policy enforcement, making it easier for a caller to invoke filesystem-changing or externally connected actions without informed approval.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The stated purpose presents the skill as a learning-record manager, but the documented behavior includes broader operational actions: initializing directory trees, creating files, auto-repairing content, writing bidirectional links, fuzzy searching, and running tests that inspect permissions and skill contents. This mismatch can mislead users or orchestration systems about the real execution surface, increasing the chance of unintended file modification, overbroad access, or unsafe auto-execution in trusted contexts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly recommends an auto-fix command that can modify diary files but does not warn users that running with --fix may rewrite content. In an agent-skill context, users may copy commands verbatim, so the lack of disclosure increases the chance of unintended file changes or silent corruption of notes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The archive command is shown as a routine operation without explaining that it moves entries and changes their lifecycle/state. This can lead operators or automated agents to run it without understanding that records may disappear from active locations, affecting retrieval, workflows, or auditability.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The skill extraction example shows a command that creates directories and files, but the documentation only describes the result after execution rather than warning beforehand about filesystem changes. In practice this is lower severity than destructive modification, but it can still cause unintended repository changes, clutter, or unsafe automation if invoked blindly.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
```bash
# 1. 删除新结构
rm -rf memory/lessons/{HOT,WARM,COLD}
rm -rf state

# 2. 恢复备份
Confidence
93% confidence
Finding
rm -rf memory/lessons/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
rm -rf state

# 2. 恢复备份
rm -rf memory/lessons
cp -r memory-backup-*/memory/lessons memory/

# 3. 验证恢复
Confidence
95% confidence
Finding
rm -rf memory/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.