ClawHub

Cyber Memory

Security checks across malware telemetry and agentic risk

Overview

This memory skill is mostly purpose-aligned, but it automatically handles private chat transcripts and can use an undeclared OpenAI API key with a configurable LLM endpoint.

Review this before installing if your sessions may contain secrets, personal data, or proprietary work. Keep baseUrl on localhost for private use, remove or isolate OPENAI_API_KEY unless you intentionally want it used, and periodically inspect or delete files written under workspace/memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill is presented as local-first and 'no external API required,' but the documentation also allows a configurable OpenAI-compatible endpoint and API key, meaning session transcript content may be sent off-host. This mismatch can cause users to enable the skill under an incorrect privacy assumption, especially since it reads transcripts from disk and processes message content automatically.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill markets itself as processing transcripts locally, but the code allows a configurable base URL and will send transcript content to that endpoint using OpenAI-style credentials. That creates a real data exfiltration path for conversation content, including potentially sensitive facts, and the mismatch between description and behavior increases user trust in a misleading way.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Reading OPENAI_API_KEY enables use of external hosted models even though the skill is presented as a local memory system. While not exfiltration by itself, it materially lowers the barrier for transcript data to be sent to third-party services and broadens the trust boundary without clear user awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation mentions optional external API use for processing session transcripts but does not prominently warn that sensitive conversation content may leave the machine when a remote endpoint is configured. Because the skill handles recent user and assistant messages automatically, this omission can lead to unintended disclosure of secrets, personal data, or proprietary information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code submits transcript text to an LLM endpoint automatically, but this file contains no user-facing disclosure, consent, or indication that conversation content may leave the local process or be processed by another service. In a memory feature, users are especially likely to share sensitive personal and project information, so silent transmission is privacy-relevant and risky.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The hook automatically persists extracted facts and recent conversation snapshots into markdown files under the workspace memory directory. This creates durable local storage of potentially sensitive user data without any visible consent, retention control, or minimization, increasing exposure to later compromise, accidental sharing, or over-collection.

Ssd 3

Medium
Confidence
96% confidence
Finding
The prompt explicitly instructs the model to extract and retain user preferences, decisions, rules, accounts, contacts, and schedules for long-term memory. In the context of a memory skill, that means the system is deliberately harvesting potentially sensitive personal and operational information, which becomes dangerous when combined with automatic persistence and optional remote LLM processing.

Ssd 3

Medium
Confidence
94% confidence
Finding
Persisting recent user/assistant exchanges as plain-language snapshots creates a searchable memory log that may contain sensitive prompts, responses, operational details, or credentials. Because this happens automatically during compaction, the feature increases the amount and lifetime of sensitive data stored on disk beyond what users may expect from ephemeral chat history.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal