ClawHub

KnowMine

Security checks across malware telemetry and agentic risk

Overview

KnowMine is a legitimate-looking remote memory skill, but users should review it carefully because it can persist conversation content remotely and its data-processing disclosures are incomplete.

Install only if you are comfortable sending selected notes, memories, preferences, and knowledge-base queries to KnowMine for persistent remote storage and semantic search. Do not store secrets, credentials, regulated data, or sensitive work material unless you have independently reviewed the service’s privacy, retention, deletion, and embedding-provider practices. Require explicit confirmation before letting an agent save conversation content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description is broad enough to match common requests about remembering things, carrying context, and searching past information, which can cause the agent to invoke a networked third-party memory service in situations where the user did not explicitly consent to external storage. In this skill’s context, that is materially risky because the tool is designed to persist conversation-derived data and make it searchable later, increasing the chance of unintended retention of sensitive personal or work information.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The markdown describes a remote MCP service that stores notes, memories, and insights with semantic processing, but it does not prominently warn users that conversation content may be transmitted to knowmine.ai for storage, embedding generation, and later retrieval. This omission is dangerous because users may disclose sensitive personal, business, or credential-adjacent information under the assumption the interaction is local or ephemeral, when the skill instead creates persistent remote records.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal