ClawHub
Back to skill

Security audit

Self-Evolving Five-Layer Memory System

Security checks across malware telemetry and agentic risk

Overview

This memory-system skill is not malware, but it asks the agent to persist sensitive personal, behavioral, environment, and API-key-related information with too little user control.

Install only if you intentionally want a persistent local memory framework. Do not store secrets, API keys, tokens, contact details, OpenID values, or sensitive conversation content in its memory files or knowledge graph. Keep consolidation and heartbeat actions manual until reviewed, and require explicit approval before it modifies MEMORY.md, AGENTS.md, SOUL.md, SHADOW.md, or routing files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest advertises very broad trigger conditions such as analyzing memory architecture and implementing memory automation without clear boundaries, exclusions, or user-confirmation requirements. In an agent ecosystem, this increases the chance the skill activates in unrelated contexts and performs memory-related actions on sensitive data unexpectedly.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This section instructs storing long-term user and system data across multiple memory files without describing consent, minimization, retention limits, or handling of sensitive information. Persistent storage of profiles, environment configuration, and lessons learned can accumulate sensitive data that may later be exposed, misused, or retained longer than intended.

Missing User Warnings

High
Confidence
99% confidence
Finding
The knowledge graph guidance explicitly includes storage of user identifiers, contact information, and environment state including API-key-related data. Centralizing these items in a retrievable memory graph materially raises the risk of credential exposure, identity leakage, and cross-context data disclosure if the graph is queried, synced, or accessed by unintended components.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The guide says the consolidation script runs automatically after every heartbeat, but does not define clear scope, preconditions, or approval boundaries for what data it may read and modify. In an agent memory system, broad auto-triggering can cause unintended repeated writes, surprise state changes, and unsafe execution in contexts where the user did not explicitly consent to maintenance actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document describes automatically creating `.access_stats.json` and recording entity access timestamps, but it does not warn users that usage metadata will be persisted. Silent creation of tracking data can expose behavioral patterns, increase data retention risk, and surprise users who expect the system to be read-only unless told otherwise.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The guide instructs the system to scan MEMORY.md and HEARTBEAT.md for keywords and automatically append findings into SHADOW.md without any privacy or modification warning. Because memory files may contain sensitive user or operational content, automated scanning and derivative logging can amplify disclosure, propagate sensitive text into additional files, and create hard-to-track secondary storage.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide explicitly instructs the agent to read weekly logs and, if those do not exist, extract information from the current session to identify user decision style, communication preferences, habits, and constraints. This creates a privacy and profiling risk because it encourages collecting and inferring personal behavioral data for persistent memory without any notice, consent boundary, minimization rule, or sensitivity filter.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document directs updating persistent memory files and recording distillation results in a diary, which operationalizes long-term storage of inferred user traits and behaviors. Persisting this information without warning, consent, or data classification can expose sensitive preference and behavioral data to later misuse, over-retention, or unintended access by other components or operators.

Ssd 3

High
Confidence
99% confidence
Finding
The skill repeatedly directs proactive extraction, distillation, and retention of user conversation details into persistent stores and a knowledge graph, including identity, contact, preferences, environment configuration, and API-key-related state. In this context, the danger is elevated because the design normalizes ongoing background collection and automated maintenance, making over-collection and accidental disclosure a built-in behavior rather than an isolated mistake.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal