ClawHub

Memory Hybrid Stack

Security checks across malware telemetry and agentic risk

Overview

The skill is not deceptive, but it gives an assistant broad local memory database powers, including durable writes and deletes, without built-in confirmation safeguards.

Install only if you intentionally want an assistant to manage this local Postgres/Redis/Qdrant memory stack. Use least-privilege credentials, protect the .env file, prefer read-only use unless you explicitly request persistence, confirm any update/delete operation, and back up or periodically review stored facts, Redis state, and Qdrant payloads.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to execute shell commands and helper scripts that can read and modify Postgres, Redis, and Qdrant, yet it declares no permissions boundary. This creates a capability/authorization mismatch: an agent may invoke powerful local shell operations against live data stores without an explicit permission contract, increasing the risk of unintended data modification or exfiltration.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger condition is very broad: it suggests using the skill whenever the assistant needs durable facts, volatile status, or semantic recall beyond Markdown memory. Because the skill includes direct write/delete operations across multiple backing stores, over-broad activation can cause the agent to select this skill in ordinary conversations and perform unnecessary access or mutation of persistent memory.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation provides concrete commands for inserting, updating, setting, and deleting data in Postgres, Redis, and Qdrant, but it does not require an explicit warning or confirmation that these actions modify stored memory. In an agent context, this can lead to silent persistence, overwriting authoritative facts, or deletion of state without informed user consent.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The document discloses concrete local connection endpoints, database names, usernames, expected environment file paths, and service topology for the memory stack. Even though the password is partially redacted and the services are on localhost, this materially lowers the effort for an attacker or untrusted local code to locate and access sensitive state stores, especially because Redis is explicitly noted as having no password by default.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This helper executes whatever SQL string is passed on the command line against the configured PostgreSQL database with no validation, read-only restriction, or confirmation step. In the context of an agent skill specifically designed to manipulate durable memory, this creates a meaningful risk of destructive writes, data exfiltration, or schema damage if untrusted input reaches the script or the assistant uses it incorrectly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal