ClawHub

Agent Memento

Security checks across malware telemetry and agentic risk

Overview

Agent Memento is a disclosed autonomous coding framework, but it gives recurring agents broad shell, git, and project-file authority that users should review carefully before installing.

Install only in a disposable sandbox, VM, container, or dedicated git worktree. Do not point it at a repository with valuable uncommitted work, secrets, private notes, or production credentials. Review every MASTER_PLAN.md verify command before enabling auto mode or cron, and avoid enabling dashboard preview or public host binding unless the project directory contains no sensitive files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation states the worker may only modify context_files and TICK_STATUS.md, but elsewhere it is allowed or instructed to also update MASTER_PLAN.md state, retries, and git metadata. This inconsistency is dangerous because operators may trust a narrower write boundary than the system actually enforces.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The security section claims edits are limited to declared context_files, but the cleanup routine performs repository-wide git checkout, git clean, and stash operations. Those commands can revert or delete unrelated tracked and untracked files across the project, contradicting the stated boundary and risking destructive data loss.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill claims no outbound network access by framework scripts, yet it executes arbitrary user-defined verify commands and toolchains such as npm that may fetch packages, contact registries, or access remote services. This misrepresents the trust boundary and can expose systems to unexpected network activity or supply-chain risk.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script's comment claims localhost-only behavior and manual opt-in for public exposure, but the script itself does not enforce any bind address or validate forwarded arguments. Because all user-supplied arguments are passed directly to server.js, an operator may unintentionally start the dashboard with a public bind option, creating network exposure that the wrapper misleadingly suggests is prevented.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script presents itself as a simple project initializer, but it actually bootstraps an autonomous workflow that can execute tasks, invoke an LLM agent, modify files, commit changes, and clean or stash repository state. That mismatch is security-relevant because users may run it without understanding they are installing an agentic system with code-execution and rollback behavior.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script creates a project tree and overwrites multiple files under a user-controlled project path without any explicit warning or confirmation. Although this is common in scaffolding tools, it becomes dangerous here because the generated content includes autonomous execution logic and repository initialization, so the filesystem impact is more significant than ordinary boilerplate generation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The generated worker script concatenates plan, map, and human notes content and sends it to an external agent process via openclaw agent. This can expose sensitive project data to another process or service without any consent, redaction, or trust-boundary warning, which is especially risky in codebases that may contain secrets, internal design notes, or proprietary information.

Missing User Warnings

High
Confidence
97% confidence
Finding
The generated worker performs git checkout, git stash -u, and emergency stash cleanup automatically when it detects a dirty workspace. These operations can discard uncommitted changes, move user work into stashes unexpectedly, or interfere with unrelated repository state, and the user is not warned that this destructive behavior is built into the scaffolded automation.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
> ⚠️ **Security & Risk Warning**:
> This skill deploys a highly privileged autonomous shell pipeline. Please read carefully before initializing:
> 1. **Arbitrary Command Execution**: The core Tick Engine (`memento_tick.sh`) strictly and autonomously executes commands defined in the `verify` field of your `MASTER_PLAN.md`. Always run this system in an isolated Virtual Machine or Sandbox environment to prevent unintended side effects.
> 2. **Automated Git Rollbacks**: On task failure, the system executes `git checkout -- .` and `git stash push -u` to revert the workspace to a clean state. **Never initialize Memento in a directory containing pre-existing valuable files or untracked manual edits**, as they may be inadvertently stashed or overwritten.
> 3. **Optional HTTP Directory Exposure**: The companion Dashboard can run a Node.js web server to statically mount and serve your entire project directory via the `/preview` endpoint (if started with `--enable-preview`). **Do not place API keys, secrets, or sensitive private files in the project directory**.
Confidence
97% confidence
Finding
autonomously execute

Session Persistence

Medium
Category
Rogue Agent
Content
3. Wire it to crontab:
   ```bash
   crontab -e
   # Add: */5 * * * * /path/to/MyProject/scripts/memento_tick.sh
   ```
Confidence
84% confidence
Finding
crontab -e

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal