ClawHub

Agent Memory Local

Security checks across malware telemetry and agentic risk

Overview

This is mostly a local memory search skill, but it can send local memory snippets to SiliconFlow automatically when an API key is present.

Review before installing if your MEMORY.md or memory/*.md may contain secrets, personal data, incident details, or business-sensitive notes. Set MEMORY_RERANK=0 for a hard local-only mode, avoid exposing a generic API_KEY in the environment, and protect or delete .memory-index when you no longer need the indexed copy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises local memory retrieval but the documented commands and capabilities imply shell execution, file reads/writes, environment-variable access, and optional network use without any explicit permission declaration or user-facing trust boundary. That increases the chance an operator will invoke it with broader access than expected, especially since it indexes workspace content and can consume API keys from the environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The skill is presented as a local-first Markdown memory retriever, but the documentation discloses optional remote reranking through SiliconFlow that can transmit user queries and retrieved memory snippets to an external service. Because the memory corpus may contain sensitive operational history, preferences, incidents, or root causes, this mismatch can cause unintentional data exfiltration under a misleadingly local description.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This section directly contradicts the stated local-only trust model by introducing an external rerank path tied to SILICONFLOW_API_KEY. In a memory skill, retrieved chunks can contain sensitive notes or incident data, so undocumented or underemphasized outbound transmission materially changes the security posture and may violate user expectations or policy.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This skill is described as local-first memory retrieval, but it can transmit the user's query plus candidate memory text to SiliconFlow for reranking. That creates a confidentiality boundary break: local workspace memory may include sensitive notes, decisions, incident details, or personal data, and those contents are sent to a third party by default when an API key is present.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The code forwards the full parent environment to child scripts via os.environ.copy(), which can expose secrets such as API keys, tokens, proxy settings, and cloud credentials to any code executed in those child processes. In a local-memory skill that runs helper scripts, this increases risk because sibling scripts may be modified, compromised, or behave unexpectedly while still inheriting sensitive environment data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The network rerank request sends both the query and assembled document content to an external API without any visible user-facing warning or consent flow in this file. In a memory-retrieval skill, those documents are likely to contain sensitive workspace context, so silent exfiltration materially increases privacy and compliance risk.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal