ClawHub

MindGardener

Security checks across malware telemetry and agentic risk

Overview

MindGardener is a coherent agent-memory tool, but it should be reviewed because it can send sensitive memory logs to external LLM providers and persist model-derived memory while presenting itself as local-first/offline.

Install only if you are comfortable with an agent-memory tool reading and rewriting your workspace memory files. For private data, configure a local provider such as Ollama before running extract, surprise, consolidate, beliefs, or nightly cron jobs. Review generated MEMORY.md/entity updates before relying on them, and be cautious with sync, write-back, and automated --apply workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Tainted flow: 'req' from os.environ.get (line 125, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
try:
        req = urllib.request.Request(url, data=payload.encode(),
                                    headers={"Content-Type": "application/json"})
        with urllib.request.urlopen(req, timeout=120) as resp:
            data = json.loads(resp.read())
            text = data["candidates"][0]["content"]["parts"][0]["text"]
            return json.loads(text)
Confidence
95% confidence
Finding
with urllib.request.urlopen(req, timeout=120) as resp:

Tainted flow: 'MEMORY_FILE' from os.environ.get (line 38, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
# Result might be raw text, not JSON
        update_text = result if isinstance(result, str) else json.dumps(result, indent=2)
        with file_lock(MEMORY_FILE):
            with open(MEMORY_FILE, "a") as f:
                f.write(f"\n\n{update_text}\n")
        print(f"MEMORY.md updated with consolidation from {today}")
Confidence
84% confidence
Finding
with open(MEMORY_FILE, "a") as f:

Tp4

High
Category
MCP Tool Poisoning
Confidence
83% confidence
Finding
The skill is presented as 'local-first' and 'no external APIs required,' but the documented behavior and associated analysis indicate support for external LLM providers, multi-agent synchronization, scheduled automation, and self-model write-back features that materially expand its trust and data-exposure surface. This mismatch is dangerous because operators may deploy it with sensitive conversational memory under the assumption that data stays local, when optional or undocumented paths could transmit or rewrite memory content in ways they did not anticipate.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill markets itself as operating 'all from markdown files' and 'no database, no server,' but the documented setup explicitly requires an external LLM provider and API key for core extraction behavior. This can mislead operators into assuming data stays local when daily logs may be sent to third-party model providers, creating confidentiality, compliance, and trust-boundary risks for sensitive memory content.

Description-Behavior Mismatch

Medium
Confidence
78% confidence
Finding
The evaluate command can ingest arbitrary text or files, run automated fact-checking, and then write derived 'verified' facts back into persistent memory when --write-back is used. In an agent-memory system, this creates a memory-poisoning pathway where untrusted model output or attacker-supplied text can be promoted into durable state, potentially corrupting later recall, reasoning, or decision-making.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The sync command merges memories from multiple agents into shared memory, expanding the trust boundary from local single-agent memory to cross-agent state propagation. If one agent's workspace is compromised or untrusted, malicious or low-integrity facts can spread into shared memory and influence other agents, creating a cross-agent contamination and integrity risk.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The function assembles context from potentially sensitive sources such as daily logs, entity files, and long-term memory, then unconditionally persists a detailed manifest to disk via `context-manifests.jsonl`. Even if the manifest does not include full content, it records queries, timestamps, loaded resources, dates, and token usage, which can leak user intent, memory access patterns, and sensitive metadata contrary to the documented behavior.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill description says local-first memory, but the implementation sends memory and conversation-derived content to Google's Gemini API. In this context that mismatch is security-relevant because operators may assume data remains local and therefore feed the system sensitive long-term memory that is actually disclosed to a third party.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The consolidation prompt requests markdown suitable for appending to MEMORY.md, but the API helper assumes JSON and may stringify non-string responses into JSON before appending. This inconsistency can corrupt the trusted memory store and preserve malformed or attacker-influenced content, increasing the chance of memory poisoning and broken downstream parsing.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The lock implementation explicitly falls back to proceeding without any lock once the timeout expires, which violates the stated safety guarantee and can allow concurrent writers to modify the same file at the same time. In this skill's context, the module is meant to protect long-term memory and knowledge graph files from corruption across multiple agents, so lock bypass can lead to lost updates, torn writes, inconsistent state, or corrupted memory artifacts.

Ssd 3

Medium
Confidence
94% confidence
Finding
The prompts explicitly ask the model to extract, score, and consolidate long-term facts from raw logs and memory without any safeguards around secrets, private user data, or sensitive attributes. Because this skill processes long-term memory, the lack of minimization and sensitivity limits materially raises privacy exposure and retention of confidential information.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal