Back to skill

Security audit

Skill From Memory

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it can turn private chat or memory content into executable files and publish it externally without built-in review safeguards.

Install only if you are prepared to manually inspect and sanitize every generated file before publishing. Use narrow source files, avoid full session logs when possible, review conversation.txt, source-memory.md, extraction summaries, SKILL.md, README.md, and scripts/extracted-code.sh, remove secrets or private details, and confirm the GitHub repo and ClawHub slug before running publish or create-and-publish.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs users to run shell scripts and publish to GitHub/ClawHub, which clearly implies shell and network capabilities, but it does not declare or warn about those permissions. This can mislead users about the skill's operational scope and increase the chance they run actions that modify local files or send data externally without informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill is designed to extract content from conversation history and memory, then package and publish it to external services, but it does not warn that sensitive prompts, secrets, personal data, or internal workflow details could be included. In this context, omission is dangerous because the core workflow normalizes exfiltrating local conversational memory to GitHub/ClawHub.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script extracts conversation history and writes it into multiple files under the output directory, but it provides no warning, consent gate, redaction step, or permission hardening despite handling potentially sensitive session data. In this skill context, the risk is elevated because conversation logs may contain secrets, personal data, internal prompts, or tool outputs that become easy to persist, review, publish, or commit elsewhere.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script initializes a repository, stages all files, creates commits and tags, and attempts to push to a remote without any explicit confirmation step or warning that local content will be published. In the context of a skill that converts memory or conversation-derived work into reusable artifacts, this increases the risk of unintentionally publishing sensitive files, hidden metadata, or other local content included by `git add -A`.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script publishes the entire skill path to ClawHub without an explicit warning or confirmation that local content is being transmitted to an external service. Because this skill is specifically designed to package memory, conversation history, or completed tasks into publishable skills, accidental inclusion of sensitive or proprietary material is more plausible and makes silent publication more dangerous.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.