Back to skill

Security audit

memory_baidu_embedding_db

Security checks across malware telemetry and agentic risk

Overview

The skill is a real semantic-memory integration, but its privacy claims conflict with its Baidu API data flow and it includes broad system-modifying scripts and instructions.

Install only if you are comfortable with memory contents and search queries being processed by Baidu for embeddings, despite the skill's local-only claims. Do not run the privileged disable, chmod, restore, cleanup, or hook scripts automatically; review each command, back up existing memory data and extensions first, and secure the Baidu credentials outside shell history or logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (41)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document claims there is 'no risk of external data leakage' because data is stored locally, but elsewhere it explicitly requires Baidu embedding APIs and network connectivity. That contradiction can mislead users into sending sensitive content to a third-party service under false privacy assumptions, creating real confidentiality risk.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The README asserts that memories never leave the system, yet the described design depends on Baidu's remote embedding API. That means memory content and search queries are transmitted off-host, so users may disclose sensitive conversation data under a false privacy guarantee.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
Claiming that all processing happens locally is inaccurate because embedding generation relies on external Baidu API calls. This misrepresentation can cause operators to deploy the skill for sensitive workloads without realizing third-party data exposure occurs.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The document claims the replacement is a safer, localized alternative, yet it still requires Baidu API credentials, which preserves external service dependence and secret-handling risk. This can mislead operators into lowering their guard around network egress, third-party exposure, and credential management when the replacement does not actually eliminate those classes of risk.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The policy justifies blacklisting the old extension on the basis of network and API-key exposure, but then introduces a new API-key-based integration with similar trust and leakage concerns. This inconsistency creates a security-design issue because decision makers may approve the change under false assumptions about reduced attack surface.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document states that no data is uploaded to external services, yet it also instructs users to configure Baidu API credentials for an embedding service. That is misleading because embedding API use normally requires sending content to a remote provider, which can cause users to expose data under false privacy assumptions.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill claims that memories never leave the system, but the documented design requires sending content or queries to Baidu's embedding API to generate embeddings. This creates a misleading privacy and security guarantee that can cause operators to store sensitive data under false assumptions, resulting in unintended disclosure to a third-party service.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The description states that all processing happens locally with the user's API credentials, yet the requirements and performance sections acknowledge internet access and Baidu API latency. This contradiction obscures the real trust boundary and may lead users to process confidential material believing it never leaves their environment.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script changes system behavior by forcefully repointing the active memory backend symlink to a different implementation under /root, effectively disabling the original backend without confirmation, rollback checks, or authorization boundaries. In a skill context with no declared metadata or scope, silently altering a core backend can redirect sensitive memory operations to an unexpected component and create integrity, availability, and trust risks.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
This script is labeled and behaves as a health check, but it also changes system state by running chmod +x on files. In a diagnostic context, unexpected mutation is risky because an operator may execute it expecting read-only behavior, yet it silently alters executable permissions on files under /root, which can enable later execution of scripts that were intentionally non-executable or misconfigured.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script creates /root/clawd/memory during what is presented as a health check, which is a side effect inconsistent with a read-only diagnostic tool. Unexpected directory creation under a privileged path can mask configuration issues, change system state, and make automated callers perform writes they did not intend.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This verification script is presented as a safety/health check, but it performs a real persistent write by calling add_memory during the test flow. That creates hidden side effects in a data store users may expect to remain unchanged, which can pollute memory state, affect later retrieval behavior, and violate operator expectations for a verification-only action.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document claims that all data is stored locally and that there is no risk of external data leakage, but earlier sections explicitly describe use of Baidu Embedding API and API connectivity. This creates a materially misleading security assurance that could cause operators or users to send sensitive memory content to a third-party service under the false belief that no external transmission occurs.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script prints a categorical assurance of 'zero data leakage risk' even though it interacts with an embedding-backed memory system, performs queries, and persists data. Such absolute safety claims can mislead operators into underestimating privacy and data-handling risks, especially where embeddings, local databases, or upstream services may expose sensitive content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The API reference explicitly requires Baidu API credentials and describes storing user memories with semantic embeddings, which implies user content may be transmitted to an external provider and retained locally without any privacy, consent, retention, or data-classification guidance. In a memory skill, this omission is security-relevant because developers may store sensitive conversational data by default and unknowingly expose personal data to third-party processing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples normalize storing personal preferences, employment background, habits, and importance metadata as 'memories' without any warning about sensitive data handling. Because this skill is specifically designed to persist and semantically search user information, example code strongly influences downstream implementations and can lead developers to collect unnecessary personal data that may later be queried, leaked, or shared with external embedding services.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The guide documents deletion capability and external API dependency without warning about irreversible data loss or remote data transmission. Users may delete memory records without understanding recovery limits, and may submit sensitive memory content to external services without informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The quick-start instructs users to set API credentials and use a memory database that stores user-related content, but it provides no warning that credentials are sensitive secrets or that memory content may contain personal or confidential data transmitted to Baidu's embedding service. In a skill explicitly designed to persist and semantically process user memories, omission of privacy, retention, and third-party transmission guidance can lead to inadvertent exposure of sensitive information.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The documentation lists maintenance actions such as cleanup, backup, optimize, and refresh without explaining side effects, confirmation requirements, or rollback expectations. In an agent or automation context, users may run these commands directly and trigger unintended deletion, state reset, or disruptive system changes, making this a real safety issue even though the file itself does not contain executable code.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The quick-start instructs users to export sensitive Baidu API credentials but gives no warning about secret handling, shell history exposure, logging, or the fact that data sent to embedding services may leave the local environment. Because the system is described as local while depending on a remote embedding provider, the missing privacy and credential-safety guidance could mislead users about confidentiality risks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README promotes privacy and local security properties but omits a direct warning that message content is sent to Baidu to obtain embeddings. Users may therefore ingest confidential chats, PII, or secrets without informed consent or appropriate policy review.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The markdown provides commands that disable a live extension via sudo and instructs users to export API credentials, but it does not include clear risk warnings, rollback steps, or safe credential-handling guidance. In an agent-skill context, operational instructions can be copied directly into privileged environments, increasing the chance of service disruption or accidental secret exposure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide tells users to print API credentials with echo, which unnecessarily exposes secrets on screen and may leak them through terminal logging, screen recording, shared sessions, or copied shell output. Documentation that normalizes revealing secrets increases the chance of credential compromise.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill omits a clear warning that memory content and user queries may be sent externally for embedding generation while simultaneously asserting no external sharing. In a memory system intended to hold conversation history and user preferences, this omission is especially dangerous because it encourages ingestion of potentially sensitive personal or organizational data into a third-party API.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The tutorial explicitly demonstrates storing personal facts, preferences, location, profession, and habits in a semantic memory system without any warning about consent, retention, minimization, or access controls. In a memory skill context, this increases the likelihood that developers will persist sensitive user data by default, creating privacy and compliance risk if deployed against real users.

VirusTotal

48/48 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.