ClawHub

Smart Memory (Zero Dep)

Security checks across malware telemetry and agentic risk

Overview

This local memory skill is mostly coherent, but it needs Review because it persistently stores conversation-derived data and one restore feature can load arbitrary local files into active agent memory.

Install only if you want a local agent memory system that writes conversation-derived preferences, project facts, lessons, and task state to disk. Before using it broadly, restrict restore to the session-snapshots directory, require confirmation for durable writes and cleanup, and be careful not to run it on sensitive conversations or credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation text is broad enough to activate on common phrases like 'remember this' or 'what are we working on,' which can cause the skill to run in contexts the user did not intend. Because this skill writes session and memory files under a WAL-first model, accidental triggering can lead to over-collection, unintended persistence of sensitive conversation content, or unwanted modification of local memory state.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase "archive old stuff" is vague and conversational, so it can be matched during ordinary discussion rather than as a deliberate command. In a memory-management skill that performs archival actions, this raises the risk of unintended state-changing behavior such as reorganizing or hiding memory files without clear user intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script automatically writes extracted conversation content to a persistent workspace file without any explicit consent, notice, or confirmation at the time of storage. In a memory-management skill, this is especially sensitive because users may provide personal, confidential, or regulated information during normal conversation, and the keyword-based filter for secrets is incomplete and easy to bypass.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The script automatically appends promoted LESSON entries into MEMORY.md without any explicit user confirmation, warning, or opt-in beyond running the command. In a memory-management skill, this can silently persist conversation-derived content, including inaccurate, sensitive, or attacker-planted text, making the issue more relevant because the tool’s purpose is to store long-lived agent memory.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The restore command accepts an arbitrary file path via the file argument, reads it, and overwrites SESSION-STATE.md with its contents. In an agentic memory skill, this makes prompt/state poisoning more dangerous because a caller can replace active working memory with attacker-controlled content from outside the snapshot directory, potentially steering later agent behavior or reintroducing sensitive/stale data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal