ClawHub

memory-auto-update

Security checks across malware telemetry and agentic risk

Overview

This memory skill is not clearly malicious, but it can persist conversation content through broad everyday phrases and does not clearly bound consent, retention, or file-write scope.

Install only if you explicitly want this agent to save conversation-derived memories across sessions. Before use, confirm where the memory file is stored, how to review and delete entries, whether auto-save can be disabled, and whether writes require preview and confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation explicitly references scripts that read and write memory files, but no permissions are declared. That creates a capability/permission mismatch that can lead to silent file access beyond what a reviewer or runtime policy expects, especially because the skill's core function is to persist conversation-derived data. In this context, undeclared file I/O is more dangerous because the skill is designed to auto-save user content, increasing the chance of unintended or overbroad data persistence.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation makes a privacy-relevant claim that only the current session is processed, while elsewhere stating that multiple sessions save into the same memory file. This inconsistency can mislead users about retention and cross-session data handling, causing them to disclose sensitive information under false assumptions about scope.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad, common conversational expressions such as '今天就这样', '结束了', and '总结一下今天', which can easily occur in normal chat without the user intending persistent storage. In a memory-writing skill, accidental activation can cause unintended collection and retention of sensitive personal, work, or relationship information, making this a genuine safety and privacy issue.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README promotes automatic extraction and updating of '决策、待办、约定、事实' but does not prominently warn users that ordinary conversation content may be persisted automatically. Because the skill is specifically designed to retain potentially sensitive conversation details, the absence of an explicit storage/consent warning increases the risk of users disclosing information they did not expect to be saved.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The activation phrases include very common expressions such as 'remember this,' 'don't forget,' and 'that's all for today,' which can appear in normal conversation without intending to invoke the skill. Because this skill performs memory extraction and file writes, accidental activation can cause sensitive or irrelevant conversation content to be summarized and stored without clear user intent. The auto-update purpose makes this more dangerous than a read-only skill because misfires directly change persistent state.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The quick-reference table normalizes single-line phrases like '更新记忆', '你忘了吗?', and '今天就这样' as direct triggers, even though several are common conversational utterances rather than clear commands. This increases the likelihood that routine discussion or frustration will invoke memory-saving behavior unexpectedly. In a skill that writes summaries to files, unintended activation can create privacy and integrity issues by storing incomplete, mistaken, or sensitive content.

Vague Triggers

Medium
Confidence
96% confidence
Finding
Automatically treating complaint phrases like '你忘了吗' or '你怎么不记得' as authorization to inspect prior dialogue, extract content, and save it is unsafe because frustration does not equal consent. An attacker or accidental speaker could trigger memory updates from emotionally charged but ambiguous language, causing persistence of sensitive conversation details the user did not intend to store. This is especially risky here because the skill is explicitly designed to auto-update memory and write results to disk.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The manifest advertises many generic trigger phrases such as 'remember this', 'don't forget', 'summarize today', and 'did you forget', which are common in ordinary conversation and can activate the skill without clear, explicit user intent. In a memory-writing skill, accidental activation is risky because it may cause unintended persistence of sensitive or private conversation content into long-term memory.

Natural-Language Policy Violations

Low
Confidence
78% confidence
Finding
The description is promotional and emphasizes automatic memory updates without clearly stating consent, confirmation, or opt-in requirements, while claiming support for multiple languages. In context, this matters because the skill modifies persistent memory, so unclear disclosure can mislead users about when data is stored and increase the chance of non-consensual retention.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Phrases like '你忘了吗' / 'you forgot?' are common conversational language and are documented as triggers for memory inspection and update behavior. Broad triggers increase the chance of accidental activation, causing unintended extraction, summarization, or persistence of conversation content the user did not mean to store.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Manual-update triggers such as '更新记忆', '保存一下', or '记录今天的对话' are still ambiguous in ordinary usage and lack strong scoping to the skill. In practice, this can cause unintended activation and storage when users speak casually or when another participant mentions similar phrases in the conversation.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The guide explicitly tells users they do not need to remember commands and can speak naturally, which weakens the boundary between normal dialogue and privileged memory-write actions. For a persistence-related skill, this raises the risk that sensitive or incidental content will be captured without clear, informed intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation describes generating a structured summary and saving it to a memory file, but does not provide a sufficiently prominent warning about persistence, retention, and privacy implications at the point of use. Users may therefore expose personal, confidential, or business-sensitive information without realizing it will be stored.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal