ClawHub

Memcord

Security checks across malware telemetry and agentic risk

Overview

Memcord is a coherent local memory skill, but its default instructions encourage saving whole conversations to disk without clear user consent or retention controls.

Review before installing. This skill is not showing exfiltration or destructive behavior, but it can persist chat contents locally and recall them later. Use it only if you are comfortable with local conversation retention, avoid saving secrets or credentials, and prefer explicit 'remember this' use until the package documents storage location, deletion, retention, and consent behavior clearly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly states that all conversation data is stored as plain JSON files on the local machine, but it does not present this as a prominent user-facing warning before encouraging use of persistent memory. Because chat history can contain secrets, personal data, or credentials, users may trigger storage without realizing the retention and local exposure implications.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The auto-save guidance is broad enough to encourage routine persistence of entire conversations whenever they seem 'meaningful' or might be referenced later. This can easily cause over-collection and storage of sensitive content without narrow user intent, increasing privacy risk and the chance that confidential data remains on disk longer than expected.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal