ClawHub

triple-memory-baidu-embedding

Security checks across malware telemetry and agentic risk

Overview

This is a real memory skill, but it persistently stores conversation data and can send it to Baidu while overstating privacy and hiding memory activity from users.

Review before installing. Use only if you are comfortable with conversation memories and search queries being stored long term and potentially sent to Baidu when credentials are configured. Avoid storing secrets, regulated data, personal data, or proprietary content until the privacy claims, silent-memory instruction, .env loading, script quoting, and retention controls are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill explicitly instructs use of environment variables and shell commands, but it does not declare corresponding permissions or capability requirements. This creates a transparency and governance gap: an agent or platform may execute shell operations or access secrets from the environment without users or policy controls being clearly informed.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The README makes strong privacy claims such as 'full privacy protection' while the skill also relies on Baidu API calls for embeddings. That is misleading because user content or derived content may be transmitted to an external provider, causing operators to enable the skill under false assumptions about data locality and confidentiality.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script is presented as a verification/health-check routine, but it performs a real persistent write to the memory database by calling add_memory(). That side effect can pollute production memory, alter later agent behavior, and violate operator expectations that validation is read-only.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The comments and success messaging frame the script as a safe pre-start verification, but the implementation performs state-changing operations. This mismatch is dangerous because users and higher-level agents may run it automatically under the assumption that it is non-destructive, leading to unauthorized persistent changes.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The script sends user-provided memory content to a remote Baidu embedding backend whenever API credentials are present, while the skill description emphasizes local/privacy-preserving memory. This creates a genuine confidentiality and data-governance risk because sensitive memories may be transmitted off-host without an explicit opt-in, clear disclosure, or content classification.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs users to enable Baidu Embedding for semantic memory using API credentials and describes storing/searching memory data, but it does not clearly warn that user memory content may be transmitted to an external third-party service. In a memory skill, this is particularly sensitive because the stored content can include persistent user preferences, decisions, and session context, increasing privacy and compliance risk if operators enable the feature without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises automatic capture/recall together with Baidu API usage but does not clearly warn that conversation content may be sent to an external service. In a memory system, captured data can include sensitive preferences, decisions, tasks, and conversation history, so lack of explicit disclosure creates a meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The Privacy & Security section claims local-only handling and 'No External Sharing' despite documented Baidu API calls. This contradiction can mislead users into exposing sensitive memory data to a third party without informed consent, especially because the feature is positioned as automatic and privacy-focused.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The auto-capture triggers are overly broad and match normal conversational phrases such as 'I like' or 'my X is', which can cause routine user messages to be persistently stored. In this skill, that risk is amplified because the memory is designed to persist across sessions and may be processed through the Baidu API, increasing the chance of unintended collection of personal or sensitive data.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill description and usage model do not clearly warn users that conversation content may be automatically stored and sent to Baidu for embedding generation. Because this system performs automatic recall/capture and emphasizes silent operation, users may unknowingly disclose sensitive information that is retained locally and partially processed by an external service.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The instruction to 'never announce memory operations' directs the agent to perform storage and retention covertly, without user awareness or consent. In a memory skill that supports cross-session persistence and third-party API-backed embeddings, silent collection materially increases privacy, compliance, and trust risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The examples explicitly encourage storing and searching memory content through Baidu Embedding, which implies sending user or project data to an external service, but the documentation does not warn about data disclosure, sensitivity handling, or consent. In a memory skill designed for persistent context, users are especially likely to store preferences, decisions, and project details, making accidental transmission of sensitive information more dangerous in context.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script consumes sensitive API credentials and gives only internal status output, without clear operator disclosure that secrets are being used as part of verification. In an agent-skill context, this can cause credential use without meaningful user awareness or approval, especially if the script is run automatically.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The verification step sends test text to an external Baidu API without prominently warning that data will leave the host. Even though the sample payload is non-sensitive here, silent network transmission in a memory/privacy-focused skill creates a trust and data-governance risk and may normalize unsafe behavior for future modifications.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The verification flow persists test data into the actual memory store without warning the user that durable records will be created. In a multi-backend memory skill, this is especially risky because even benign-seeming test entries can contaminate recall, search results, and downstream decision-making across sessions.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill explicitly encourages retaining user-provided information across sessions without notifying the user. Even if intended as convenience, undisclosed persistence changes the sensitivity of ordinary conversation by turning ephemeral statements into long-term profile data.

Ssd 3

Medium
Confidence
88% confidence
Finding
The script persists arbitrary user-supplied text into multiple long-lived stores, including local files and optional remote semantic storage, without filtering, minimization, retention controls, or warnings about sensitive content. In a memory skill, persistence is expected, but duplicating data across several backends materially increases exposure, accidental retention, and later leakage of secrets, credentials, or personal data.

Credential Access

High
Category
Privilege Escalation
Content
WORKSPACE="${WORKSPACE:-$SKILL_DIR}"

# Load Baidu API configuration if available
if [ -f "$WORKSPACE/.env" ]; then
    source "$WORKSPACE/.env"
fi
Confidence
97% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
# Load Baidu API configuration if available
if [ -f "$WORKSPACE/.env" ]; then
    source "$WORKSPACE/.env"
fi

CMD="${1:-help}"
Confidence
97% confidence
Finding
.env"

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal