ClawHub

Lobu

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Lobu memory plugin, but it automatically sends conversation content to an external memory service and exposes broader remote query/execution tools, so it belongs in Review.

Install only if you intend Lobu to persist and recall conversation-derived memory. Review the configured MCP endpoint, disable autoCapture or autoRecall for sensitive work, avoid using broad SDK/SQL/run tools unless you trust the Lobu workspace and server policy, and be aware that authentication tokens are persisted locally and a worker process may be started after login.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
This plugin is presented as a long-term memory integration, but it explicitly exposes powerful remote capabilities such as query_sdk, query_sql, and run_sdk. That meaningfully expands the trust boundary: an agent or compromised MCP backend can pivot from memory retrieval into arbitrary data access or action execution, which is dangerous in a skill whose purpose suggests much narrower behavior.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The code spawns external processes (for example npx connector-worker daemon and subprocess-based token/bootstrap handling), which introduces command-execution and supply-chain risk into an agent skill. Even though some inputs are passed via argv/env rather than shell interpolation, launching npx and node subprocesses still allows untrusted package resolution, inherited environment leakage, and expansion of the plugin's capability from memory access to code/process execution.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises automatic recall before each prompt and automatic capture after each session, but it does not clearly warn that potentially sensitive conversation content may be stored and retransmitted to an external memory service. In an agent plugin context, this omission can lead operators to enable persistent memory without understanding privacy, retention, or compliance implications, increasing the chance of sensitive data exposure through normal use rather than a code exploit.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The plugin automatically captures and sends paired user/assistant conversation content to remote memory storage on agent_end, without any user-facing notice, consent, or visible gating in this file. This creates a clear privacy and data-governance risk because sensitive prompts, secrets, or regulated data may be exfiltrated to persistent external storage merely by using the skill.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The manifest describes automatic memory behavior but does not clearly constrain when recall or capture occurs, what data is eligible, or what user consent model applies. In a memory plugin that can automatically search and persist conversation-derived content, vague activation semantics increase the risk of over-collection, unexpected data disclosure, and privacy-impacting behavior by default.

Missing User Warnings

High
Confidence
94% confidence
Finding
The plugin enables both automatic recall and automatic capture by default, yet the manifest provides no prominent warning that user prompts and session-derived observations may be sent to and stored in an external memory service. In this context, the skill is specifically a remote memory integration over MCP, so default-on background collection and retrieval can expose sensitive prompts, secrets, or regulated data without sufficiently informed user action.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The plugin enables automatic memory recall by default before each prompt, but the manifest text does not define clear user consent, scoping, or trigger boundaries. In a memory plugin, this can cause unintended transmission of prior conversation context to a remote MCP endpoint, increasing privacy and data-leak risk if sensitive content is recalled automatically.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The plugin enables automatic conversation capture by default after each agent session, but the manifest does not indicate consent requirements, content filtering, or safeguards for sensitive data. Because this skill is explicitly a remote memory integration, auto-capturing conversations can persist secrets, personal data, or regulated content to an external service without sufficiently clear boundaries.

VirusTotal

60/60 vendors flagged this plugin as clean.

View on VirusTotal