ClawHub
Back to skill

Security audit

Install Powermem Memory

Security checks across malware telemetry and agentic risk

Overview

This is a coherent guide for installing a long-term memory plugin, with the main privacy-sensitive behavior disclosed and aligned with the plugin’s purpose.

Install this only if you want conversation details saved into persistent memory and recalled later. Review autoCapture and autoRecall settings, confirm where the SQLite database or HTTP server stores data, avoid storing secrets or regulated data unless approved, and verify the upstream PowerMem/plugin installer before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill promotes automatic capture and recall of conversation content without clearly warning users about privacy, retention, and sensitive-data handling implications. This can lead to unintentional storage and later resurfacing of personal, confidential, or regulated information across sessions, especially because auto-capture and auto-recall are enabled by default.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document promotes auto-capture and auto-recall of conversation data into persistent storage, but it does not clearly warn users that potentially sensitive prompts, personal data, credentials, or confidential business context may be retained on disk or in a shared backend. In a memory-plugin installation guide, this omission is security-relevant because users may enable the feature without understanding retention, access, sharing, and deletion implications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal