ClawHub

Conversation Saver

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built for local memory saving, but it can silently retain private chat details and append conversation text into files that may influence future agent behavior.

Install only if you intentionally want conversation history scanned and saved into local memory/profile files. Start with dry-run, avoid enabling automatic hooks until you have reviewed output, disable or tightly review TOOLS.md writes, and add your own backup, deletion, and sensitive-data rules before using it on private conversations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly describes reading conversations and writing extracted facts into multiple local memory files, yet no explicit permissions are declared. This creates a transparency and consent gap: an installer or reviewer may underestimate the skill's file access and allow broad read/write behavior without understanding the scope.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code routes extracted conversation facts into multiple workspace documents including USER.md and TOOLS.md, not just dedicated memory files. In a background 'conversation-saver' skill, this broad persistence increases unintended data propagation and can leak sensitive user content into files with different purposes or visibility, creating a privacy and integrity risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
该 README 明确宣称会“静默提取”对话关键信息并“持久化到本地记忆系统”,同时还提到需要读写/编辑权限,但没有在同一处清晰说明用户知情、同意、数据范围、保存位置、保留期限或敏感信息处理方式。这会导致用户对隐私影响缺乏充分认知,尤其在代理可自动读取历史对话并写入本地文件的场景下,容易把敏感内容长期落盘。

Missing User Warnings

High
Confidence
96% confidence
Finding
The README explicitly promotes silent background extraction and persistence of conversation content without any user-facing notice, consent, or approval flow. In the context of a memory-writing skill, this creates a real privacy and data-governance risk because sensitive personal details from chats can be retained automatically and unexpectedly.

Missing User Warnings

High
Confidence
95% confidence
Finding
The automatic hook and heartbeat instructions operationalize unattended extraction after each session, but omit warnings that user content will be written into long-term memory files. That makes accidental over-collection likely and increases the chance that sensitive information is persisted without meaningful user awareness.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description says the skill works silently in the background, but it does not prominently warn that it will automatically extract and persist conversation-derived personal data to local files. Users may enable it without realizing it performs ongoing surveillance-like retention of their chats.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The automatic session-end and heartbeat modes enable retrospective and continuous processing of conversation history, but the documentation does not pair these features with an explicit consent and privacy warning. That omission increases the risk of covert collection and persistence of sensitive user content.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The category lists include very broad terms such as "must", "rule", "reply", "day", and "go to", which can match ordinary conversation at high frequency and cause the skill to extract and persist more content than users would reasonably expect. In a background memory-saving skill, this increases the chance of over-collection of personal or behavioral data, including sensitive relationship, location, and instruction-like content, making the issue materially risky rather than merely noisy.

Natural-Language Policy Violations

Low
Confidence
78% confidence
Finding
The hard-coded token "@老布" suggests the skill may specially detect or persist language-specific reply behavior without any visible opt-in or explanation. By itself this is lower severity, but in a silent background persistence skill it can contribute to collecting conversation metadata or behavioral patterns tied to a specific user/community convention.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script silently persists conversation-derived facts to local memory files via `persist_facts(final_facts, CONFIG)` without any consent, approval, or visibility in the extraction flow. In a skill specifically designed for background conversation summarization, this increases the risk of storing sensitive personal data, preferences, travel plans, or system-related details that users may not expect to be retained.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill silently persists extracted facts from conversation history without any user-facing notice or consent at the write sites. Given the skill description explicitly says 'Silent background operation,' this makes the issue more dangerous because users may unknowingly have sensitive personal data stored long-term in local documents, increasing privacy and compliance risk.

Ssd 3

High
Confidence
98% confidence
Finding
The skill is designed to silently collect and store conversation-derived facts, including potentially sensitive personal data, in local memory artifacts. Because the examples and feature list normalize background persistence of personal details, the skill materially increases privacy exposure and unauthorized retention risk.

Ssd 3

High
Confidence
97% confidence
Finding
The example workflow demonstrates storing highly personal details such as location, family travel, and preferences into persistent memory stores, normalizing long-term retention of sensitive chat content. This is dangerous because it encourages broad collection and secondary use of private information beyond the immediate conversation context.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill is designed for silent background extraction of facts from conversations and persistence to memory files, which inherently collects potentially sensitive natural-language data. Because the extraction happens automatically and out of band, users may not notice what personal details are being retained or later reused.

Ssd 3

Medium
Confidence
96% confidence
Finding
The storage targets include family details, schedules, locations, preferences, and important decisions, which are all highly sensitive categories when aggregated over time. Broad retention across multiple files increases the blast radius of any misuse, overcollection, or later prompt/context leakage from those memory stores.

Ssd 3

Medium
Confidence
95% confidence
Finding
Session-end automation and heartbeat backfill support retrospective collection of prior conversations, expanding monitoring from current chats to historical content. This substantially increases privacy risk because data may be harvested and persisted long after the original conversation, without renewed awareness or consent.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill's stated purpose is to extract 'key facts' from chat history and persist them to memory files, and the implementation scans historical message logs, classifies facts such as person, location, time, and preference, then stores them for later use. This broad collection-and-retention design lacks visible minimization, sensitivity filtering, or retention limits, creating a substantial privacy and security risk if sensitive conversation content is captured, over-retained, or later exposed through the memory store.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal