ClawHub
Back to skill

Security audit

Layered Memory

Security checks across malware telemetry and agentic risk

Overview

This memory skill appears purpose-related, but it needs review because it can persist conversation content, inject agent reminders at startup, mutate local memory files, and execute hardcoded home-directory scripts through shell commands.

Review before installing. Use it only in an environment where storing conversation memory under your home directory is acceptable, avoid saving secrets or credentials, inspect the referenced ~/clawd/scripts files, and prefer manual or dry-run workflows until command execution and retention controls are tightened.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose is a token-saving layered memory utility, but the analyzer indicates materially broader behavior: bootstrap-time context injection, extracting memories from conversations, saving to disk, archiving, summarizing, loading config from multiple locations and env vars, and reading hardcoded files in the user's home directory. That mismatch is dangerous because users may grant trust to a seemingly narrow utility while it performs persistent data collection and automatic context manipulation outside the stated scope.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The generate method builds a shell command as a string and passes user-influenced values such as target, concurrent, and configPath into execSync. Although some values are wrapped in quotes, this still creates command-injection risk because shell metacharacters inside interpolated arguments can break quoting or alter command behavior, leading to arbitrary command execution under the current user's privileges.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill extracts memories from conversation messages and can persist them to disk, but this behavior is not reflected in the manifest description. In an agent skill context, undisclosed collection and storage of dialogue content is security-relevant because conversations often contain secrets, personal data, or sensitive operational context that users may not expect to be retained.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The test suite reaches outside the skill directory and inspects an external file in ~/clawd/scripts/generate-layers-simple.js. That creates an unnecessary dependency on user-home contents and can expose local path information or validate/encourage behavior tied to files unrelated to the packaged skill, which is broader access than needed for a self-contained test.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide promotes automatic persistence of conversation memory to local files and scheduled jobs, but it does not warn that potentially sensitive prompts, secrets, or personal data may be written to disk and retained over time. In a memory-management skill, silent persistence materially increases privacy and data-retention risk because users may assume the feature is operationally convenient rather than a change in data handling.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The manual trigger phrase is presented as a convenience command without clearly stating that invoking it will persist conversation contents to storage. That can cause accidental saving of sensitive material if a user issues the phrase without understanding the privacy consequence.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly says the system will automatically record messages to history and save memory without any visible privacy warning, consent step, retention limit, or data-minimization guidance. Because the skill is about persistent memory management, this creates a real risk of silently storing sensitive user content on disk, which may later be exposed through local access, backups, logs, or unintended reuse.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The documentation recommends persistent automation via a Git post-commit hook and cron job that regenerate memory-layer files, but it does not clearly warn users that these actions will continuously modify derived files after future commits or on a schedule. This can surprise users, create unintended file churn, and propagate sensitive memory content into additional artifacts without explicit consent each time.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document promotes automatic session checks and memory saving without disclosing that this may persist sensitive conversation content or metadata to disk on a recurring basis. In a memory-management skill, automated persistence is contextually more dangerous because the feature naturally handles user conversation history, which may include secrets, personal data, or proprietary information.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The manual-trigger section gives commands that modify local memory files and regenerate derived layers, but it does not clearly warn users that these operations write to disk and may overwrite or expose content. In this skill’s context, those files are likely to contain accumulated conversational memory, so silent modification can have privacy and integrity consequences.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
saveExtractedMemories writes conversation-derived memories to disk and even triggers automatic layer generation afterward, but there is no confirmation or warning at the write point. This increases the risk of silently persisting sensitive data from chats, especially if callers invoke the function programmatically or pass --save from the CLI without understanding the retention impact.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Archive and deduplication operations modify stored memory content and may remove, merge, or relocate data, yet the interface provides no explicit caution, backup, or confirmation flow. In a memory-management skill, destructive or irreversible changes can cause data loss, integrity issues, or accidental removal of important records.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The script reads process.env.HOME and uses it to construct a filesystem path without any user-facing notice. While this is common in CLI tooling, it still touches sensitive environment-derived data and local filesystem locations beyond the skill directory, reducing transparency and increasing privacy risk.

Ssd 3

Medium
Confidence
96% confidence
Finding
These lines instruct the agent to automatically log conversation history and save memory after ordinary conversation flow, effectively retaining all user messages by default. That is dangerous because users may disclose secrets, credentials, personal data, or regulated content during normal use, and the skill normalizes persistent collection without clear safeguards.

Ssd 3

Medium
Confidence
98% confidence
Finding
The state persistence example includes a JSON structure that stores full conversationHistory entries with role, content, and timestamp across restarts, making the privacy and confidentiality risk concrete rather than hypothetical. Persisting raw user content in a predictable file under the home directory increases exposure to local compromise, misconfigured permissions, backups, sync tools, and accidental disclosure during troubleshooting or sharing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal