ClawHub

Session Memory & Summarization

Security checks across malware telemetry and agentic risk

Overview

This memory skill appears purpose-built rather than malicious, but it automatically stores and reinjects raw conversation history in ways users should review carefully.

Install only if you intentionally want conversation content to be saved locally and reused in later sessions. Avoid using it with secrets, credentials, regulated data, or confidential work unless you are comfortable managing the memory files yourself and can delete or disable them when needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (14)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly describes automatic loading of prior conversation memory and AI summarization, but it provides no clear privacy notice, consent model, retention details, or guidance about sensitive data. Because this skill persists and re-injects conversation content across sessions, users may unknowingly expose secrets, personal data, or confidential workspace context beyond the original session boundary.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The manual testing instructions tell users to inspect the generated `memory/` directory but do not warn that these files may contain verbatim or summarized conversation data. In a skill whose purpose is cross-session memory preservation, this omission increases the risk that sensitive content is written to disk without users appreciating the confidentiality implications or applying appropriate filesystem protections.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly describes automatic persistence of AI summaries and verbatim recent conversation turns, but provides no privacy, consent, retention, or redaction guidance. In a memory skill, this creates a real risk that sensitive user data, credentials, personal information, or confidential work content will be stored and later reintroduced across sessions without the user realizing it.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly preserves and later reinjects the last 10 raw conversation turns verbatim, but the documentation shown does not provide a clear privacy warning, consent model, or guidance about sensitive data retention. In a session-memory skill, this creates a real risk of persisting secrets, personal data, or prior instructions and replaying them into future sessions where they may be exposed again.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest explicitly advertises automatic loading of recent conversation memory into new sessions and AI summarization during compaction, but it provides no user-facing disclosure about privacy implications, retention behavior, or what content may be persisted and reintroduced later. In a session-memory skill, this omission is materially risky because users may unknowingly expose sensitive prior-session data to future contexts, increasing the chance of unintended disclosure, prompt-context leakage, or privacy non-compliance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The hook automatically reads prior conversation memory from disk and injects it into every new session without any explicit user disclosure, consent, or visibility in the conversation itself. This creates a cross-session privacy boundary issue: sensitive content from earlier sessions may silently influence future prompts and be exposed to the model or downstream tools even when the user expects a fresh session.

Ssd 3

Medium
Confidence
95% confidence
Finding
Preserving and reinjecting the last 10 raw messages verbatim can carry forward sensitive information such as passwords, API keys, personal data, or confidential instructions into future sessions. Because the feature is designed to happen automatically for continuity, the skill context makes the issue more dangerous rather than less dangerous: it increases the chance of cross-session data leakage and unintended disclosure to later prompts, tools, or users with access to the workspace.

Ssd 3

Medium
Confidence
96% confidence
Finding
The documented memory file format stores raw conversation content in persistent markdown/JSON files on disk, which can expose confidential user data to anyone or any process with filesystem access. This is especially risky because the data is structured for easy reuse and sits in a predictable location, increasing the likelihood of accidental exposure, unauthorized access, or reuse of stale sensitive context.

Ssd 3

Medium
Confidence
95% confidence
Finding
The description states that the skill preserves the last 10 raw messages verbatim for exact session resumption, which establishes cross-session storage and replay of natural-language content. That design can carry forward sensitive user data, credentials, personal details, or unsafe prior prompts into later sessions without contextual minimization.

Ssd 3

Medium
Confidence
94% confidence
Finding
Loading and injecting recent raw conversation turns into a new session creates a direct path for prior sensitive content to re-enter the model context, where it may influence outputs or be surfaced unexpectedly. Because the skill's purpose is continuity, the surrounding context makes this behavior intentional and operationally central, which increases the likelihood of routine exposure rather than making it safer.

Ssd 3

Medium
Confidence
95% confidence
Finding
Persisting the last 10 raw conversation turns as JSON in memory files creates a durable retention and replay mechanism for unstructured sensitive content. Even without malicious intent, this increases exposure through local file access, backups, sync tools, or later prompt injection of historical data back into active sessions.

Ssd 3

Medium
Confidence
94% confidence
Finding
The hook persists recent user and assistant messages in plaintext under a workspace memory file, creating durable storage for potentially sensitive conversation content. In this skill context, the feature is specifically designed to carry context across sessions, which makes the retention channel more dangerous because secrets, personal data, or internal prompts may be written to disk and later exposed to other tools, users, backups, or logs.

Ssd 3

Medium
Confidence
97% confidence
Finding
The code restores the last messages verbatim and inserts them as a system message, which elevates prior user-provided text into a highly trusted prompt position. This can leak secrets from previous conversations into later model context and also preserve prompt-injection content or unsafe instructions across sessions, making the next session easier to manipulate.

Ssd 3

Medium
Confidence
91% confidence
Finding
The design explicitly prioritizes preserving exact phrasing and decisions across sessions, which increases the chance that confidential user text, credentials, personal data, or prior malicious prompt content will persist unchanged. In this skill context, session continuity makes the issue more dangerous because the mechanism is intentionally broad and automatic rather than narrowly scoped to safe state transfer.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal