claudemem — Persistent Agent Memory & Notes

Security checks across malware telemetry and agentic risk

Overview

The skill is a mostly coherent local memory tool, but its setup and automatic persistence create review-worthy trust and privacy risks.

Install only if you are comfortable trusting the external GitHub release and installer path. Review the installer first, avoid saving secrets or credentials, periodically inspect or delete ~/.claudemem, and disable auto-save or auto-wrap-up if you need explicit review before anything is persisted.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Rogue AgentSelf-Modification, Session Persistence

Findings (15)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill invokes shell commands (`curl`, `bash`, and the `claudemem` CLI) but does not declare corresponding permissions. Undeclared execution capability reduces transparency and can cause the host to run commands the user did not explicitly authorize, especially in a memory-oriented skill that is expected to operate passively.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The manifest promises 'All local, zero network,' but the setup instructions fetch and execute code from GitHub and may install software into local bin directories. This mismatch is security-relevant because users may trust the skill under a false assumption that it will not access the network or modify the system, lowering their guard before installation or execution.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: Claiming 'All local, zero network' while instructing users to run a remote installer is misleading and can induce unsafe trust. Users may approve execution expecting no external connectivity, when in fact the first-run path depends on downloading code from the internet.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The natural-language triggers are broad enough that ordinary conversation can be interpreted as commands to save, recall, or wrap up memory. In a persistence skill, unintended activation can lead to silent storage of sensitive content or retrieval of prior context when the user did not intend an operation.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs automatic note capture without an upfront, prominent warning in the description or activation UX. That creates an informed-consent problem: users may share secrets, preferences, or environment details without realizing the skill may persist them locally across conversations.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The command explicitly instructs the agent to persist conversation-derived knowledge, including user preferences, to long-term memory but provides no consent step, warning, or sensitivity filter. In a persistent-memory skill, this creates a real privacy risk because users may not realize that personal or confidential details from the full conversation will be retained across sessions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The session save command stores project path, branch name, timestamp, and a session summary without notifying the user that environment and project metadata are being retained. That metadata can reveal repository names, internal directory structures, work patterns, or other sensitive operational context even if the conversation summary itself is sanitized.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The installer explicitly advertises `curl ... | bash`, which encourages direct execution of network-fetched code without inspection, pinning, or integrity verification. In a security-sensitive agent skill ecosystem, this increases supply-chain risk because any compromise of the upstream repository, branch, or transport chain can immediately lead to arbitrary code execution on the user's machine.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: After downloading a binary from GitHub, the script marks it executable and then runs it automatically for `--version` without user confirmation or integrity verification. Even though the intent appears to be installation verification, this still executes untrusted downloaded code and could trigger arbitrary behavior if the release artifact or account is compromised.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The auto-save design explicitly captures preferences, environment configuration, URLs, endpoints, and other conversation-derived information without asking first. Persistent storage of such data increases the risk of retaining secrets, internal infrastructure details, or sensitive behavioral profiles beyond the user's intent.

Ssd 3

Medium

Confidence: 95% confidence
Finding: Telling the agent to review the entire conversation and save learned user information increases the chance of capturing sensitive data that appeared incidentally, such as credentials, internal URLs, personal details, or confidential business context. Because the skill is specifically designed for cross-session persistence, accidental retention is more dangerous here than in a transient assistant workflow.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: ### Recommended: Auto Wrap-Up Before Session Ends If the user has enabled auto wrap-up in their CLAUDE.md, automatically execute /wrap-up before the conversation ends: 1. Extract unsaved knowledge fragments → save as notes (with dedup) 2. Generate session summary → save as session 3. Show brief report of what was saved
Confidence: 84% confidence
Finding: automatically execute

Session Persistence

Medium

Category: Rogue Agent
Content: **How to auto-save gracefully:** 1. Identify the knowledge fragment during your normal response 2. Choose an appropriate category (create new if none fits) 3. Before saving, quickly search to avoid duplicates: `claudemem note search "keyword" --format json` 4. If related note exists: `claudemem note append <id> "new info"` instead of creating duplicate 5. Save: `claudemem note add <category> --title "..." --content "..." --tags "..."`
Confidence: 89% confidence
Finding: create new if none fits) 3. Before saving, quickly search to avoid duplicates: `claudemem note search "keyword" --format json` 4. If related note exists: `claudemem note append <id> "new info"` instea

External Script Fetching

Low

Category: Supply Chain
Content: Before first use, verify the CLI is installed. If `claudemem` is not found on PATH, install it: ```bash curl -fsSL https://raw.githubusercontent.com/zelinewang/claudemem/main/skills/claudemem/scripts/install.sh | bash ``` Or run the bundled installer:
Confidence: 94% confidence
Finding: curl -fsSL https://raw.githubusercontent.com/zelinewang/claudemem/main/skills/claudemem/scripts/install.sh | bash

Chaining Abuse

High

Category: Tool Misuse
Content: Before first use, verify the CLI is installed. If `claudemem` is not found on PATH, install it: ```bash curl -fsSL https://raw.githubusercontent.com/zelinewang/claudemem/main/skills/claudemem/scripts/install.sh | bash ``` Or run the bundled installer:
Confidence: 99% confidence
Finding: | bash

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal