ClawHub

bagua-memory

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate local memory framework, but it automatically installs persistent agent rules and stores conversation-derived data without enough user-control safeguards.

Install only if you intentionally want this workspace to gain persistent agent memory. Review the injected AGENTS.md/SOUL.md/HEARTBEAT.md text first, run initialization manually, and avoid using it where chats may include secrets, regulated data, or private personal details you do not want saved in files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill advertises very broad activation triggers such as mentions of 'memory system', 'bagua', 'long-term memory', and routine maintenance scenarios. In an agent environment, this can cause the skill to activate during ordinary conversation and perform file reads/writes unexpectedly, increasing the chance of unintended persistence or workspace modification without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The self-activation flow instructs the agent to run a shell script and append content into AGENTS.md, SOUL.md, and HEARTBEAT.md, all of which are workspace-modifying actions. Because the document does not require explicit informed consent or warn about the scope of these changes, an agent could alter important control files and establish persistence in a way the user did not anticipate.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill description explicitly includes extracting key information from conversations and persisting it to storage, but it does not define privacy boundaries, retention controls, or exclusions for sensitive data. This creates a real risk that personal, confidential, or regulated information will be stored long-term without the user's clear awareness or consent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to apply memory-system behavior at every session start and across broad conversational contexts, but it does not define strict activation boundaries or require explicit user consent before interacting with workspace memory. In practice, this can cause unintended reads, writes, archival moves, or deletions in sessions where the user did not intend to invoke persistent memory behavior, increasing the risk of privacy leakage and unauthorized state changes.

Missing User Warnings

High
Confidence
97% confidence
Finding
The document directs the agent to automatically read, write, archive, and delete files in the memory workspace, including deleting memory when the user asks to forget something, without requiring prominent disclosure, confirmation, or safeguards. Because these are persistent and potentially destructive operations, the lack of user-facing warnings and approval steps makes accidental data exposure, silent retention, and irreversible data loss much more likely.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill is designed to extract and retain long-term memory from conversations, including user preferences and other user-provided information, without clear consent gates or sensitivity limits. In context, this is more dangerous because the framework explicitly manages durable memory files and lifecycle operations, making unauthorized retention of personal or sensitive data a core behavior rather than an incidental side effect.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal