ClawHub

Dream

Security checks across malware telemetry and agentic risk

Overview

Dream is a local memory-management skill, but it keeps and rewrites sensitive memory data with limited confirmation, deletion, and trigger safeguards.

Install only if you intentionally want a local, long-lived personal memory archive. Treat dream forget as active-memory cleanup, not full deletion. Before enabling scheduled reviews, choose a safe DREAM_VAULT_PATH, back up MEMORY.md, avoid storing secrets or highly sensitive personal data, and prefer explicit dream commands over broad natural-language triggers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to automatically write user-derived information into persistent files during normal conversation and on a schedule, without clear notice or explicit consent boundaries. In a memory-management skill, that context makes the issue more dangerous because the data being written is specifically personal history, preferences, projects, and corrections, which can accumulate into sensitive profiling.

Missing User Warnings

High
Confidence
97% confidence
Finding
`dream forget` is documented to delete matching entries from active memory '无需确认,直接执行' while implying successful forgetting, yet the skill also preserves permanent archive copies in ledger. That combination is dangerous because users may reasonably believe sensitive information was erased when it remains recoverable, and the lack of confirmation increases the chance of unintended destructive changes to working memory.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The trigger phrase `review` is extremely generic and likely to appear in normal conversation, making unintended activation plausible. In this skill's context, unintended activation can cause autonomous memory distillation and archival actions on personal data, so an accidental invocation has meaningful privacy and integrity consequences even without overtly malicious code.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The phrase `what do you remember about me` is broad natural language that overlaps with ordinary user conversation, so the skill may activate when the user is simply asking the assistant a question rather than intentionally invoking the skill. Because this command exposes a `MEMORY.md` snapshot, accidental triggering could disclose sensitive stored personal context unexpectedly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README emphasizes that Dream runs silently, nightly, and maintains a permanent append-only archive, but does not present this as a prominent privacy warning or consent boundary. Users may install it without fully appreciating that personal memory data will be automatically rewritten, archived indefinitely, and potentially resurfaced via re-emergence logic, which increases privacy and retention risk.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill broadly collects and persists personal context such as decisions, projects, preferences, and relational background into long-lived memory structures without clearly scoped consent or minimization rules. Because the purpose of the skill is durable memory distillation, the context amplifies risk: it can silently transform ordinary chat into a structured personal dossier that persists beyond the user's immediate expectations.

Ssd 3

High
Confidence
98% confidence
Finding
The forget workflow claims to clear content from memory while explicitly keeping ledger copies permanently, creating a deceptive deletion model. In a persistence-focused skill, this is especially dangerous because users may invoke forgetting for privacy or safety reasons, yet the most durable archive remains intact and future re-emergence logic may even restore related content back into active memory.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal