ClawHub

consciousness-emergence-memory

Security checks across malware telemetry and agentic risk

Overview

This skill is a local memory system, but it can persist, re-inject, and bulk-export workspace memory content without clear enough disclosure or controls.

Review before installing. Use it only in workspaces where local memory persistence is acceptable, avoid storing secrets or personal data, and inspect or clear SESSION-STATE.md, MEMORY.md, memory/ logs, and dot-log files regularly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises only a conceptual memory/cognitive architecture but the associated capabilities indicate undeclared file read/write behavior. In an agent setting, undeclared persistence and workspace modification are security-relevant because they can expose sensitive data, alter state across sessions, and bypass operator expectations about what the skill is allowed to touch.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose materially understates the actual behavior: the skill appears to perform direct workspace persistence, CRUD memory management, logging, graph/report generation, and archival/digestion workflows beyond the declared cognitive-analysis role. This mismatch is dangerous because reviewers and users may authorize the skill under false assumptions, enabling unintended data collection, long-term retention, or file modification in sensitive workspace locations.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code and docstrings claim Pearl-style causal inference, back-door/front-door criteria, and PC-style discovery, but the implementation actually uses simplified heuristics such as correlation thresholding and lexicographic direction assignment. In a skill marketed as a scientifically rigorous cognitive architecture, this mismatch can mislead downstream agents or users into trusting outputs as principled causal results when they are not, causing unsafe or incorrect decisions.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The module presents `decode_from_chaos` as a decode/data-recovery mechanism, but it cannot reconstruct the original input and instead returns a SHA-256-derived placeholder based on a truncated seed. In a memory, encoding, or security-oriented skill, this can cause silent data corruption, false recovery claims, and dangerous misuse if downstream components trust the output as authentic recovered data.

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The file advertises a fully integrated 'ultimate' memory architecture, but the implementation explicitly runs in a simplified placeholder mode and never initializes required subsystems such as info_theory, free_energy, quantum, or metacognitive. In practice, callers may trust this as a production-ready cognitive component and trigger runtime failures or make decisions based on nonexistent capabilities, which is dangerous in agent pipelines that rely on accurate memory, audit, or optimization behavior.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The skill metadata and code framing suggest an advanced, scientifically rigorous memory/cognitive system, but the actual behavior is mostly heuristic routing plus placeholder orchestration. This mismatch can cause over-trust by users or higher-level agents, leading them to delegate sensitive memory retrieval, self-audit, or optimization tasks to a component that does not reliably perform those functions and may crash or produce misleading outputs.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions are extremely broad, using phrases like consciousness emergence, extreme cognitive management, and metacognitive reflection without concrete boundaries. Overbroad activation increases the chance the skill is invoked in unrelated contexts, which is especially risky here because the skill also appears to read/write memory files and maintain persistent state.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The API persists arbitrary memory content to SESSION-STATE.md or MEMORY.md without any user-facing disclosure or consent mechanism at the write point. In an agent skill context, callers may treat this as ephemeral memory while sensitive prompts, preferences, or secrets are silently written to disk, creating unexpected retention and later exposure risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code creates daily log files and appends memory content to them automatically, again without a clear disclosure that user/session data is being persisted. Silent creation of dated log archives increases the chance that sensitive information accumulates over time and is later accessed by other local users, tools, backups, or exports.

Ssd 3

Medium
Confidence
94% confidence
Finding
Automatic context injection formats and returns previously stored memories in plain text, which can disclose earlier session content, preferences, or secrets to downstream prompts or users who did not provide the original data. In an agent-memory skill, this is particularly risky because retrieval is designed to surface historical content across interactions, expanding the blast radius of any accidentally stored sensitive material.

Ssd 3

Medium
Confidence
96% confidence
Finding
The export function dumps all stored memories in JSON or Markdown without any access control, minimization, or redaction. Because this skill accumulates session and long-term content on disk, a broad export materially increases the risk of bulk disclosure of sensitive prompts, personal data, operational context, or accidentally stored credentials.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal