ClawHub

Memstate AI

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Memstate cloud-memory skill with disclosed remote storage and deletion features, but users should treat stored content and delete commands carefully.

Install this only if you want your agent to use Memstate as an external persistent memory service. Do not store secrets, credentials, regulated data, or confidential project details unless your organization approves that data leaving the local environment. Protect MEMSTATE_API_KEY, and use recursive or project-level delete commands only when you are sure of the target project and keypath.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill clearly requires an API key and documents direct interaction with an external REST API, but it does not declare permissions in a way that transparently signals environment-variable access and outbound network use to the user. This creates a trust and consent gap: agents may transmit stored content to a third-party service without an explicit permission/warning model, increasing the risk of unintended data exposure.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
This script performs a destructive project-delete operation even though the skill is described in terms of memory storage and retrieval. In an agentic context, an unexpectedly destructive capability increases the chance of accidental or unauthorized deletion of all memory for a project, especially if users or orchestrators assume the skill is read/write memory management rather than deletion tooling.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill encourages storing task summaries, architecture notes, config values, and other memory content, but the description does not prominently warn that this information is transmitted to an external REST API service. In agent workflows, this can lead to accidental exfiltration of proprietary code details, credentials, security decisions, or other sensitive internal context to a third party.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill documents deletion commands, including recursive keypath deletion and project-wide deletion, without an explicit warning, confirmation step, or emphasis on operational consequences. Even if deletion is implemented as a tombstone, these commands can still hide current data, disrupt downstream agent behavior, and cause effective data loss or confusion if used inadvertently or maliciously.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This script performs a destructive remote delete operation, including recursive subtree deletion, with no interactive confirmation, dry-run mode, or safeguard against broad keypaths. In an agent-skill context, a mistaken invocation, prompt injection, or parameter mix-up could silently delete large amounts of memory state and cause integrity and availability loss.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends arbitrary user-provided --content, and optionally source/context, to a third-party remote API with no runtime warning, confirmation, redaction, or size/content safeguards. In an agent setting, this can cause unintentional disclosure of secrets, personal data, proprietary prompts, or sensitive workspace content if upstream callers pass unsafe material.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This script sends user-provided memory content, keypaths, categories, and topics to a remote third-party API without an explicit runtime warning or confirmation about data disclosure. In an agent-skill context, operators may assume a local memory operation and unintentionally transmit sensitive prompts, secrets, or personal data off-host.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal