ClawHub

PAFH-Memory

Security checks across malware telemetry and agentic risk

Overview

This instruction-only personalization skill is not malicious, but it asks agents to read and persist personal memory data with broad triggers and some automatic writes, so users should review it carefully before installing.

Install only if you want the agent to maintain persistent local personalization memory. Before using it, decide whether automatic daily observations are acceptable, avoid storing addresses, contacts, schedules, credentials, financial data, or health data, and periodically review or delete the local memory files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The manifest states consent is required, but later sections permit some persistent preference writes without asking first. That contradiction weakens the user's privacy guarantee and can lead to storage of personal behavioral data even when the user expects explicit approval for all persistence.

Scope Creep

Medium
Confidence
93% confidence
Finding
The documentation instructs integration with HEARTBEAT.md even though that file is not declared in the manifest read permissions. This creates a scope mismatch where operators or downstream agents may access undeclared files, undermining least-privilege and making the effective data access broader than advertised.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The schema explicitly permits storing personal contacts, home/work locations, frequent addresses, and schedules, which goes well beyond lightweight preference personalization and introduces sensitive profile data retention. In an agent memory system, this materially increases privacy risk, surveillance potential, and harm from unauthorized access or secondary use.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document says sensitive data should never be stored, but later defines fields for home/work locations, frequent addresses, and contact records, creating a contradictory policy that can normalize storing sensitive personal data under the label of preferences. This mismatch is dangerous because implementers may rely on the schema rather than the warning, leading to silent collection of information users would reasonably expect not to be retained.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger conditions are broad enough to activate during many normal conversations involving preferences, corrections, or decisions. In this skill's context, over-triggering is risky because activation enables reading identity and memory files and may lead to persistent writes, increasing privacy exposure beyond user expectation.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The description of when the PAHF loop should be applied is ambiguous and does not define clear activation boundaries. Because the skill has access to personal memory files and persistence, vague invocation language can cause unnecessary use of privileged behavior in routine interactions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal