ClawHub

Dream

Security checks across malware telemetry and agentic risk

Overview

Dream is a coherent local memory tool, but it silently persists and rewrites personal memory, supports no-confirm deletion, and keeps supposedly forgotten data in a permanent archive.

Install only if you intentionally want a local system that automatically maintains a long-lived profile of your memory. Review MEMORY.md and ledger.md regularly, avoid storing secrets or highly sensitive personal data, use a private DREAM_VAULT_PATH, and consider adding confirmation or backups before using dream forget or scheduled distillation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (12)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document claims Dream is read-only for `memory/YYYY-MM-DD.md`, but later `dream forget` explicitly performs semantic search and deletion in those files. This contradiction is dangerous because operators and users may rely on the safer stated boundary while the skill actually has destructive authority over historical memory data.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
`dream forget` gives the skill authority to remove semantically matched historical memory entries, which is a destructive capability beyond simple summarization or distillation. In context, semantic matching can over-delete unrelated or partially related memories, causing loss of auditability and user context with no recovery path described for the primary stores.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases include broad natural-language expressions such as '复盘', '整理记忆', and '你记得我什么', which can arise in ordinary conversation without intent to invoke a privileged memory-maintenance workflow. Because the skill performs writes, archival, and deletion, accidental invocation can lead to unintended persistence or mutation of user data.

Missing User Warnings

High
Confidence
96% confidence
Finding
This section directs automatic writes to `MEMORY.md` during conversation and records additional data into daily memory files, but it does not provide meaningful user notice, consent, or boundaries on what will be persisted. In a memory skill, silent persistence is especially risky because it can capture sensitive personal, relational, or decision data into long-lived stores without the user realizing it.

Missing User Warnings

High
Confidence
99% confidence
Finding
`dream forget` performs deletion and explicitly says '无需确认,直接执行', which removes an important safety barrier for a destructive operation. Combined with semantic matching, this can delete more data than intended based on ambiguous descriptions or accidental invocations.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manual trigger list includes very generic phrases such as 'dream', 'review', and 'what do you remember about me', which can plausibly appear in normal conversation and unintentionally activate memory operations. In a memory-management skill, accidental invocation can cause unplanned reads, searches, indexing, or state changes involving sensitive personal data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README promotes automatic, silent nightly distillation of personal memory and archival behavior without an equally prominent warning about privacy, retention, and review of what will be stored. Because the skill handles highly sensitive user context, silent background processing increases the risk that users will unknowingly accumulate persistent personal data.

Ssd 3

High
Confidence
98% confidence
Finding
The skill states that forgetting removes content from active memory stores but does not affect the permanent ledger, and the re-emergence mechanism can reinsert similar content later. This creates a data retention and re-exposure channel that undermines user expectations of deletion, especially for sensitive personal information the user tried to remove.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill defines ongoing collection, summarization, and archival of user conversation details into multiple persistent stores (`MEMORY.md`, daily memory files, ledger, indexes). In context this is the intended feature, but it still increases privacy and retention risk because broad categories of personal/contextual data may be stored indefinitely and resurfaced later.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill explicitly states that long-term memories are preserved forever in an append-only archive, even after cleanup from active memory. This creates a durable retention risk for sensitive personal information, especially when users may reasonably expect removed content to be actually forgotten rather than merely hidden from the active file.

Ssd 3

Medium
Confidence
98% confidence
Finding
The documented 'dream forget' behavior removes data only from active memory while keeping it in the permanent archive, which conflicts with normal user expectations for a forget action. That mismatch can lead to continued storage and later resurfacing of sensitive information users believed had been removed.

Ssd 3

Medium
Confidence
97% confidence
Finding
The Security section confirms that forgetting does not affect the permanent archive, reinforcing that the system retains user data despite removal requests. This is dangerous because it normalizes a retention model that can preserve sensitive personal history indefinitely and expose it through future searches or summaries.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal