MemClawz

Security checks across malware telemetry and agentic risk

Overview

This looks like a real agent-memory skill, but it installs persistent services that can collect, store, and share sensitive memories with weakly scoped controls.

Install only after reviewing the referenced GitHub repository, requirements, and service files. Keep federation disabled unless you explicitly need it, use HTTPS and strong per-node credentials, restrict which memories can be shared, protect API keys and .env files, pin and verify downloaded components, and confirm how to stop, uninstall, inspect, and delete stored memories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The federation section documents pushing and pulling memories to remote nodes, including use of a shared secret and a public IP example, but gives no warning that memory content may contain sensitive user, session, or organizational data. In a memory-system skill, this context makes the issue more dangerous because the whole purpose of the service is aggregating and distributing potentially confidential agent memories across the network.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The architecture explicitly describes automatic extraction from conversation summaries and sending that data through Mem0, Qdrant, REST APIs, and MCP integrations, but it provides no mention of consent, data minimization, redaction, retention limits, or privacy controls. In a memory system for an AI agent fleet, conversation summaries may contain sensitive personal, operational, or credential-adjacent information, so undocumented automatic propagation to multiple services materially increases privacy and data-exposure risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The installer performs multiple system-changing actions automatically: cloning/pulling code, installing Python packages, launching Docker or a downloaded Qdrant binary, and enabling persistent user services. Even if this is standard installer behavior, doing so without explicit confirmation, integrity verification, or a clear warning increases supply-chain and unintended-change risk, especially for an agent memory system that installs background services.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal