ClawHub

secure-memory-stack

Security checks across malware telemetry and agentic risk

Overview

This memory skill is not clearly malicious, but it makes strong local-only privacy claims while enabling Baidu API-based embedding and several broad `/root/clawd` maintenance actions.

Review before installing. Treat this as a hybrid local-plus-Baidu memory tool, not a guaranteed offline/private memory store. Do not store secrets or sensitive personal/business data unless remote embedding is disabled or audited, and run its setup/fix/maintenance scripts only in a contained `/root/clawd` environment you are comfortable modifying.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (57)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill advertises shell and environment-variable driven behavior but does not declare permissions, which undermines user awareness and any permission-based trust model. In this context the risk is amplified because the documentation explicitly instructs users to run shell scripts under /root, meaning undeclared execution capability could lead to privileged filesystem changes without clear consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill claims '完全本地化' and '零数据上传' while the described behavior includes Baidu API connectivity tests and embedding-based external service use, plus unrelated hooks and system-maintenance actions. This mismatch is dangerous because users may entrust sensitive memory data to a tool they believe is offline and privacy-preserving, when in fact data or metadata may be transmitted externally and additional side effects may occur on the host.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The changelog makes strong privacy and security claims such as 'fully local storage', 'zero data upload', and 'no network transmission' while also advertising Baidu Embedding API integration, which inherently requires sending data to an external service unless clearly limited to optional non-content operations. This mismatch can mislead users into storing sensitive memory data under false assumptions, causing unintended disclosure to a third party.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documentation makes strong privacy and security claims such as '完全本地化', '零上传', and '无需网络连接' while also describing Baidu Embedding API integration and credential setup. This is dangerous because users may store sensitive memories under the false assumption that semantic-search content never leaves the device, when in reality queries or indexed text may be transmitted to an external provider.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The later security section repeats that all data remains local and that there is no network transmission, which directly conflicts with the documented Baidu API usage. Repeating the contradiction in the security/privacy section increases risk because users are more likely to trust these claims when deciding whether to store credentials, passwords, or personal data in the system.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The guide explicitly requires Baidu API connectivity and embedding services, yet later claims that all data is stored locally with 'no external data leakage risk.' This is a materially misleading security claim because user queries or memory content sent for embedding may leave the local environment, causing operators to make unsafe privacy assumptions.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The security section contradicts the rest of the document by asserting there is no external leakage risk despite documented dependence on Baidu network APIs. Such contradictions in security documentation can directly mislead deployment decisions, especially for a 'secure' or 'privacy' memory skill handling sensitive retained data.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The document markets the system as 'local' and privacy-preserving while requiring Baidu API credentials and use of an external embedding service. This creates a misleading trust boundary: users may believe sensitive memory data remains fully local even though prompts or derived content may be sent to a third party, increasing privacy and compliance risk.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The quick start instructs users to execute hard-coded scripts from /root, implying privileged/root-context execution without justification in the documentation. Encouraging opaque root-level script execution significantly raises the blast radius if those scripts are unsafe, tampered with, or perform unexpected system modifications.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The README makes strong privacy and locality claims ('完全本地化', '零数据上传') while also advertising Baidu Embedding-based semantic search, which ordinarily requires sending query/content data to an external provider unless a clearly local model is used. This mismatch can mislead users into exposing sensitive memory contents under the false assumption that no data ever leaves the device.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The security section claims '零上传' and '离线可用' while the architecture section lists a Baidu Embedding layer for semantic search, creating a direct contradiction about external connectivity and data handling. In a memory/privacy skill, inaccurate guarantees are especially dangerous because users may store secrets, credentials, or sensitive notes believing the system never contacts third parties.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The README makes absolute privacy and locality claims such as '绝不上传', '无需网络连接即可使用全部功能', and '零数据泄露风险', but later documents optional Baidu API configuration for semantic search. This is a real security issue because users may entrust sensitive memory data under false assumptions and then unknowingly transmit queries or content to an external provider.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The documented Baidu Embedding integration contradicts the skill's positioning as a secure, fully local memory system. In the context of a privacy-focused memory tool, this mismatch is especially dangerous because users are likely to store sensitive personal or business information and rely on the documentation's security assurances.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This health-check script is not read-only: it changes file permissions with chmod +x when executables are missing. That creates unexpected side effects during what appears to be a diagnostic operation, and if run with elevated privileges it can alter the system state in ways the user did not explicitly approve.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script automatically creates /root/clawd/memory if it is missing, so a supposed health check writes to disk and changes the filesystem. Unexpected creation of directories under /root can mask deployment issues, interfere with auditing, and violate least-surprise expectations for diagnostic tooling.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The monitor script enumerates unrelated skills and their whitelist state even though its stated purpose is secure local memory performance monitoring. This expands the script's visibility into the host environment and discloses installed tooling and trust configuration, which can aid reconnaissance or leak security posture to anyone able to run or view the output.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The document markets the system as local and privacy-preserving, but immediately requires Baidu API credentials and describes embedding-based operation that depends on an external service. This can mislead users into sending sensitive memory content off-host under a false assumption of local-only processing, creating a real privacy and trust risk.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
Labeling the system as localized/local while documenting required external Baidu API usage is a materially contradictory security claim. In a memory system, users may store sensitive personal or operational data, so inaccurate locality claims increase the chance of inappropriate disclosure to third-party services.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The documentation makes an absolute security claim that all data is stored locally and that there is no external leakage risk, while elsewhere requiring Baidu embedding API access. This can mislead users into submitting sensitive memory data under false privacy assumptions, causing unintended transmission of content to an external service.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
Claiming 'no external data leakage risk' is materially contradicted by documented external API-based embedding and connectivity checks. In a memory system, users may store highly sensitive personal or organizational information, so inaccurate assurances can directly lead to confidential data disclosure to third-party infrastructure.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill claims to provide a local/private memory system, but it enables Baidu embeddings through externally supplied API credentials. That creates outbound data flow to a third party and can expose prompts, memory contents, or metadata, directly contradicting the privacy guarantees users may rely on.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The security section asserts local_only=true and no_external_upload=true, yet the configuration also enables a Baidu API-backed embedding service. This inconsistency is dangerous because operators or users may trust the policy flags while sensitive memory data is still transmitted externally.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The hook for a 'secure local memory' skill enumerates and activates unrelated skills, which expands behavior beyond the declared purpose and violates least-privilege expectations. Even though this sample only prints status, coupling memory initialization to other capabilities creates an unsafe trust boundary and can normalize or later enable cross-skill activation without user awareness.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script executes an external bootstrap file from /root/clawd/memory_bootstrap.sh during a model-switch event, which gives this hook arbitrary code-execution capability far beyond simple memory loading. Because the called script is outside the file being reviewed and runs automatically, any compromise or unexpected contents in that bootstrap script could lead to privilege abuse, persistence, or unauthorized system changes.

Intent-Code Divergence

High
Confidence
92% confidence
Finding
The script prints security assurances such as '完全离线' and '最高级别' even though it checks for Baidu API credentials and imports a Baidu embedding component that may rely on external services. This can mislead users into trusting the system's privacy posture and making sensitive-data decisions based on false assumptions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal