ClawHub

Memory Work

Security checks across malware telemetry and agentic risk

Overview

This is a local markdown memory system, not malware, but it gives the agent broad automatic read/write authority over a personal knowledge vault and some actions lack clear consent boundaries.

Install only in a dedicated vault that you are comfortable letting an agent read, summarize, and update. Before use, tighten the trigger phrases, require confirmation for deletes, archives, cross-zone searches, and persistent profile/memory writes, and remove or correct the unsupported sensitive-access audit claim.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (29)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill explicitly instructs the agent to 'search for relevant materials' and to inspect zones and files proactively, which expands data access beyond the minimum needed for a memory-management function. In a personal knowledge vault containing sensitive directories like 'About Me/' and company/client zones, this can cause unnecessary exposure of private content and increase the chance of over-collection.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document states that MEMORY_LOG tracks all access to sensitive zones, but the actual logging rules only record memory changes, skill creation, and system updates. This creates a false audit guarantee: users may believe sensitive access is fully logged when it is not, undermining accountability and incident review.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The archive workflow instructs the AI to rename and move `_this_week.md` into `_archive/` and create a fresh file, but it does not require an explicit confirmation immediately before those write operations. In an agentic environment with filesystem access, this can lead to unintended file modifications, loss of user orientation, or accidental archival of active work if the week-state is inferred incorrectly.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The file authorizes writes during broad categories like 'memory changes, architecture updates, skill creation, or parameter tweaks' without narrowly defining what events qualify, who initiates them, or what approval boundary applies. In a persistent memory system that stores behavioral and preference data, this ambiguity can lead to over-collection or unexpected writes outside the user's intended review flow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow says the AI writes approved entries to a persistent log containing patterns, preferences, and behavioral inferences, but it does not prominently warn that this creates a durable profile across sessions. Even with approval mentioned elsewhere, users may not fully understand the persistence, sensitivity, and future reuse of this data, creating consent and privacy risks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The template explicitly instructs AI to structure raw dictation into tasks and to search/populate library materials during startup, but it provides no consent boundary, data-minimization guidance, or warning that these sections may contain sensitive personal or organizational information. In a memory-management skill, users are likely to paste meeting notes, email snippets, emotions, and work context, so silent broad retrieval and processing increases the risk of over-collection, unintended exposure, and privacy violations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file explicitly authorizes fully autonomous reorganization and updates 'without confirmation' while asserting the content is low sensitivity. That combination can cause unintended destructive or data-impacting actions, especially if categorization is wrong or mixed-sensitivity content is later placed in this zone.

Missing User Warnings

High
Confidence
98% confidence
Finding
This section permits autonomous deletion and states that no confirmation is needed for modifications, but provides no user warning, approval checkpoint, or scoped deletion constraints. If followed by an agent, it could delete tools or linked resources incorrectly, and the broad authority increases blast radius beyond a single file.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The file explicitly recommends registering skills with a trigger of "semantic match OR explicit call," which allows broad intent inference to activate executable capabilities. In a system where skills can run scripts, manage operations, or integrate with external services, overly permissive matching can cause unintended execution from ambiguous user language or prompt-injected content.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The description says skills are triggered by semantic match and that users do not need exact trigger words, making activation control underspecified. Because this zone defines skills as executable modules with automation power, vague intent-based dispatch increases the chance of accidental or adversarial triggering of sensitive workflows.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The boot trigger phrases are generic conversational terms like 'boot', 'start work', and 'initialize', which can easily appear in ordinary dialogue. That ambiguity can unintentionally activate the full startup routine, leading to unrequested file reads, scans, and other side effects.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill says activation is based on 'semantic judgment of user intent' rather than precise triggers, making skill execution unpredictable and overbroad. In practice, this can cause unintended invocation of other skills such as memory review, deep sync, or presentation generation without clear user consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill authorizes automatic background sync and deep retrospective behavior that updates '_this_week.md' and possibly MEMORY_LOG without a clear, immediate warning that user files will be modified. Silent or weakly disclosed writes are dangerous because they can alter records, create misleading history, and normalize unauthorized file modification.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README instructs users to activate the system with extremely generic phrases like "Send any message" and "Start," which makes accidental or unintended invocation more likely. In an agent that can initialize state, create files, and gather profile information, broad triggers increase the chance of actions occurring without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The first-run behavior is described as happening automatically when the repository is opened, but the README does not clearly define the conditions or boundaries of that initialization flow. This ambiguity can lead users to open the project without realizing the agent may begin collecting information or modifying workspace files, weakening informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README describes automatic creation of user profile and weekly workspace files during initialization without prominently warning that opening/starting the skill may modify the local repository. In a local-first Git-tracked environment, silent or poorly disclosed writes can expose sensitive data, create unwanted commits, or alter a user's workspace unexpectedly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README describes automatic creation of user profile and weekly workspace files during initialization without prominently warning that opening/starting the skill may modify the local repository. In a local-first Git-tracked environment, silent or poorly disclosed writes can expose sensitive data, create unwanted commits, or alter a user's workspace unexpectedly.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The initialization trigger phrase is extremely generic: users are told to say "Start" or "开始工作," both of which can plausibly appear in ordinary conversation. In an agent system that performs automatic initialization and file operations, a broad trigger increases the chance of accidental activation, causing unintended reads, setup actions, and state changes in the user's workspace.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The quickstart says Claude will automatically read workspace files and later sections describe loading weekly files, memory logs, preferences, and memory stores, but the user-facing initialization description does not prominently warn that this behavior begins automatically. This reduces informed consent and can surprise users into granting broad access to personal knowledge-base contents they may not expect to be scanned and organized immediately.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The quickstart states the agent will "set up files automatically" and "create your first weekly workspace" without a clear warning that initialization can create, modify, and later archive files. In a personal workspace context, undocumented write-side effects can lead to accidental file creation, unwanted reorganization, or confusion about agent-generated content versus user-authored content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section explicitly instructs the agent to automatically perform deep retrospective scans, read file contents, and proactively update `_本周.md` without requiring the user to trigger the action each time. That creates a real risk of unintended file access and modification, especially in a personal knowledge base that may contain sensitive or cross-project information.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document says on-demand files are 'silently loaded' and elsewhere describes hidden/background memory marking during normal execution. Silent collection and processing of user information without clear notice undermines user awareness and consent, and can lead to privacy violations if sensitive identity, project, or behavioral data is ingested unexpectedly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This file explicitly instructs the AI to read recent memory logs and persist cross-week insights about the user’s preferences, behavior patterns, and corrections, but it does not clearly disclose the privacy risks of retaining and reusing that data. Even though user approval is required for some writes, users are not adequately warned about profiling, long-term sensitivity, or the downstream effects of storing behavioral patterns in a reusable memory system.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The startup trigger includes broad language such as '其他用户自定义的启动口令' without defining how such custom phrases are registered or constrained. In an agent environment, ambiguous activation conditions can cause unintended execution of the startup sequence, including file reads and stateful memory operations, when ordinary conversation is misclassified as a trigger.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The file says skill invocation is based on semantic intent rather than fixed triggers, but it does not define confidence thresholds, exclusions, or approval gates. This makes tool use unpredictable and increases the chance that sensitive skills are invoked from loosely related user text, especially in a system that reads and updates memory files automatically.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal