ClawHub
Back to skill

Security audit

Install Powermem Memory

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PowerMem setup guide, but it deserves Review because it recommends persistent automatic conversation memory and includes a network server mode without strong safety guidance.

Install only if you intentionally want long-term memory across conversations. Prefer local CLI/SQLite mode for personal use, avoid storing secrets or regulated data, review and delete memories periodically, and do not run HTTP mode on 0.0.0.0 unless it is protected with authentication, TLS or a trusted network boundary, and clear access controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly enables automatic capture of conversation content and automatic recall into context, but it does not prominently warn users about sensitive-data collection, retention, third-party processing, or consent implications. This can lead to private user or assistant content being stored and resurfaced unexpectedly, increasing privacy, compliance, and prompt-context exposure risks.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document promotes automatic memory capture/recall and persistent local SQLite storage, but it does not clearly warn users that conversation content may be retained across sessions and stored on disk. In a memory plugin installation guide, this omission can lead users to enable long-term retention without understanding privacy, consent, or data-handling implications for sensitive chats.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The document introduces HTTP server mode for shared or team setups without explicitly warning that memory data may be transmitted over the network and stored on shared infrastructure. In this skill context, that increases the risk of users deploying a centralized memory service without considering transport security, access control, multi-tenant exposure, or organizational data-governance requirements.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal