ClawHub

Long Memory

Security checks across malware telemetry and agentic risk

Overview

This is a real long-memory skill, but it persistently captures sensitive conversations and exposes export, backup, API, and weakly described security features without enough safeguards.

Install only if you intentionally want full-session, long-term local memory. Treat the memory directory, exports, reports, API, and git backups as sensitive. Do not rely on the advertised encryption for strong protection, avoid importing untrusted JSON, do not expose the local API without additional access controls, and review retention/deletion practices before using it with personal, business, credential, medical, legal, or regulated information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (39)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script can push the entire memory directory to a remote Git repository, while the skill description indicates storage of full conversation history including potentially highly sensitive content. In this context, remote synchronization materially expands data exposure and can exfiltrate private conversations, secrets, and other retained memory outside the local environment.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The CLI advertises and dispatches a broad set of operations beyond the declared memory-capture/retrieval purpose, which increases the accessible attack surface and makes it easier to hide risky functionality behind a benign-seeming skill. In an agent-skill context, scope drift is security-relevant because users and reviewers may grant trust based on the manifest while the tool exposes many additional behaviors.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The presence of user-management, configuration, API/server, scheduler, import, and reporting commands is inconsistent with a simple long-memory skill and materially expands what an agent could do if this CLI is reachable. In this context, such hidden administrative and service-oriented capabilities are more dangerous because a memory skill is expected to handle conversation storage/retrieval, not operate infrastructure or manage accounts, creating a privilege and transparency mismatch.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The code and comments describe the embedding model as local/free, but `SentenceTransformer(MODEL_NAME)` can download model artifacts on first use from external infrastructure. In a long-memory skill handling conversation history, this creates an undeclared supply-chain and privacy boundary: users may believe processing is fully local while the environment performs network retrieval of model files at runtime.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script labeled as an integrity checker does not only verify files; during normal execution it updates and persists the checksum baseline for any new or modified file. That means unauthorized or accidental tampering can be silently normalized as the new trusted state, defeating the security value of integrity monitoring and making later detection harder. In a long-memory skill that stores sensitive conversation archives, this is more dangerous because altered records can be accepted as legitimate history.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script extracts named people, relationship types, and inferred roles from stored conversations, creating a social profile of the user and third parties. In the context of a long-memory skill, this is more dangerous because it goes beyond simple recall and performs covert relationship mapping on sensitive personal data without clear necessity or consent.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The module claims to provide AES-256 encryption, but the actual implementation is a repeating-key XOR stream using a SHA-256-derived key and a fixed salt. This is cryptographically weak, deterministic, lacks authenticated encryption, and can expose highly sensitive remembered conversation data to offline recovery or tampering while giving users a false sense of security.

Context-Inappropriate Capability

High
Confidence
88% confidence
Finding
The scheduler executes local Python scripts based on task configuration loaded from persistent storage, giving the skill a general-purpose local code execution mechanism. If an attacker or another component can modify .schedule.json or drop/replace scripts in the scripts directory, they can cause unauthorized code execution under the agent's privileges, which is more dangerous because this skill is supposed to manage long-term memory rather than act as a task runner.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The scheduler persists task results, including captured stdout and stderr, into memory storage. Since the skill's purpose is full conversation memory, this creates a pathway for unrelated command output—potentially containing secrets, file paths, tokens, or private conversation-derived data—to be retained and later retrieved through the memory system.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The merge_users function explicitly copies and appends one user's conversation history into another user's memory space, defeating the stated isolation boundary. In a long-memory skill that stores full conversations and likely sensitive content, this creates a real confidentiality and integrity risk if invoked accidentally or by an unauthorized operator.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The module advertises multi-user isolation, but the same script includes a built-in operation to intentionally combine separate users' memories. This mismatch is security-relevant because it can mislead operators into assuming stronger privacy guarantees than the implementation actually provides, especially in a system designed for persistent storage of complete user conversations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly markets indefinite full-conversation archival, retrieval, backup, export, REST API exposure, and session capture, but does not present a clear privacy warning, retention notice, consent model, or data-minimization guidance. In an agent skill, this can lead operators to deploy pervasive logging of sensitive user data and internal reasoning without informed user consent or appropriate safeguards.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions include common phrases like '记下来', '别忘了', and '回忆一下', which are likely to occur in ordinary conversation without the user intending to activate a persistent archival system. In the context of a skill that claims full-session retention and semantic retrieval, over-broad triggering can silently capture and persist sensitive data far beyond user expectations.

Missing User Warnings

High
Confidence
97% confidence
Finding
The description emphasizes full conversation storage and retrieval but does not clearly warn users that sensitive content may be retained, indexed, exported, backed up, or exposed through related features. Because the skill is specifically designed to preserve complete dialogues across sessions, the lack of an explicit privacy warning materially increases the risk of uninformed collection and disclosure of personal or confidential data.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The POST endpoint writes arbitrary conversation content directly to persistent local files without any authentication, authorization, or user-consent mechanism at the API layer. In the context of a long-memory skill that archives conversation history, silent persistence increases privacy risk and allows any local process that can reach 127.0.0.1:8765 to create or modify stored records.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script stages all files, commits them, and may push them remotely without any confirmation prompt or explicit warning about data handling. Given this skill's purpose is long-term retention of full conversations, the lack of consent and warning increases the risk of silently persisting and transmitting sensitive user data, including information the user may not expect to be archived or shared.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script archives full user and assistant conversation content into a persistent markdown file under a predictable local path without consent flow, minimization, retention controls, or access restrictions. In this skill context, conversations may contain sensitive personal data, secrets, credentials, or private model outputs across sessions, so silent long-term storage materially increases confidentiality and privacy risk if the host is shared, backed up, indexed, or later exfiltrated.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script persists distilled conversation-derived content into MEMORY.md and archive files automatically, without any explicit consent prompt, warning, retention control, or data minimization guard. In the context of a long-memory skill handling user conversations, this increases the risk of silently retaining sensitive personal data across sessions and expanding exposure if the workspace is later accessed, synced, or exfiltrated.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script persists extracted conversation text metadata and vector indexes to local files without any user-facing warning, consent, retention policy, or permission hardening. In the context of a long-memory skill that may archive sensitive cross-session conversations, silent persistence materially increases privacy and data-exposure risk if the host is shared, backed up, or later compromised.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Loading the sentence-transformers model may trigger network access to obtain model files, but the user is not clearly warned that external fetching can occur. For a memory system processing sensitive dialogue, undeclared outbound retrieval changes the trust boundary and may violate assumptions about fully local operation, even if conversation text is not directly uploaded by this code path.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script scans and analyzes all markdown conversation files under the user's memory workspace by default, generating emotional inferences from historical chats without any consent, notice, or scope restriction in this component. In a long-memory skill context, this is more sensitive because the dataset contains persistent cross-session conversation history, so silent secondary analysis increases privacy risk and can reveal intimate behavioral patterns beyond simple storage.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This script exports complete conversation history, summaries, distillations, and long-term memory content to any caller-specified path with no confirmation, redaction, access control, or sensitivity warning. In the context of a 'long-memory' skill that explicitly stores full user messages and assistant replies, this creates a real privacy and data-exfiltration risk because highly sensitive content can be silently copied into broadly accessible locations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script generates and writes an HTML report that summarizes conversation-derived metadata such as dates, tags, topics, session counts, and sizes. In the context of a long-memory skill that stores full conversation history, this creates an additional derived artifact that can expose sensitive behavioral or semantic information if opened, shared, or left in a predictable location, and there is no in-code warning, consent gate, or minimization step.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The JSON import path uses untrusted metadata such as item.get("file") directly in path construction: `dest = target_dir / item.get("file", "imported.md")`. An attacker-controlled JSON file can supply path traversal values like `../../authorized_keys` or absolute paths, potentially causing writes outside the intended memory directory and overwriting arbitrary files accessible to the current user.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
When --fix is used, the script edits memory files and later saves updated checksum records, but there is no strong user-facing confirmation, dry-run preview, or transactional safeguard around those writes. For a memory system holding full conversations, automated repair can overwrite evidence of corruption or tampering and can irreversibly alter sensitive records under the guise of maintenance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal