ClawHub

Memory Lancedb Dreaming

Security checks across malware telemetry and agentic risk

Overview

The plugin appears to do its advertised memory-dreaming job, but it starts automatically and can persist, process, promote, and optionally send memory-derived content with broad defaults.

Review the configuration before installing. Disable dailyReport, autoManageCron, narrative, or model overrides unless you want scheduled processing of your LanceDB memories. Avoid configuring delivery unless you are comfortable sending memory summaries to that channel, and treat generated DREAMS.md, MEMORY.md, and memory/dreaming files as potentially sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README states that the plugin automatically writes dream snapshots and daily reports to local memory files and can also push those reports to an outbound channel, but it does not prominently warn users that conversation-derived memory content may be persisted and transmitted externally. In a memory plugin handling reflective summaries, this can expose sensitive user data through unexpected retention and delivery, especially because daily reporting is described as enabled by default.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code automatically creates or modifies DREAMS.md in the workspace without any visible in-code disclosure, confirmation, or consent gate. In an agent context, silently persisting LLM-generated narrative derived from memory fragments can surprise users, leak sensitive workspace-derived content into a durable file, and create integrity/privacy issues if the workspace is shared or committed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code writes raw memory text (`entry.text`) into phase reports and daily memory blocks without any sanitization, redaction, consent check, or visible disclosure mechanism in this file. If memories contain sensitive user data, secrets, or prompt-injected content, they may be persisted to report files and exposed to users, logs, backups, or downstream tooling beyond the original retrieval context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code builds a prompt from `cluster.memories` and sends memory text snippets to `runDreamingTextPrompt`, which is an external/model-facing call. These snippets may contain sensitive user data, and this file shows no consent gate, redaction, or warning before transmission, creating a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The code derives a stable hash from user queries and stores it on disk, creating a persistent record of query-linked behavior. Even though raw queries are not stored, deterministic hashes can still enable correlation, repeated-query tracking, and possible recovery of low-entropy queries via dictionary attacks, which raises meaningful privacy risk in an agent skill context.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest enables the plugin on startup by default, causing memory-processing behavior to begin automatically without a user-initiated action or any visible gating conditions in the manifest. In this skill’s context, the plugin reads vector memory, generates dream narratives, and can promote memories, so automatic activation increases the chance of unexpected processing of sensitive data and surprise background behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The plugin description and schema indicate automatic cron management plus scheduled report generation/delivery, but the manifest does not present an explicit warning that it may create/manage cron jobs, read memory content, write reports, or publish summaries to external channels. In a memory-oriented plugin, this combination is risky because users may unknowingly permit persistent background execution and disclosure of derived memory content to files or delivery targets.

Vague Triggers

Low
Confidence
91% confidence
Finding
The lockfile resolves multiple packages over plain HTTP from a third-party mirror (for example, mirrors.tencent.com), which weakens supply-chain integrity despite the presence of integrity hashes. An active network attacker or compromised mirror can disrupt installs, serve substituted metadata, or exploit situations where tooling, fallback behavior, or human workflows bypass integrity verification; the large number of mirrored dependencies increases the attack surface.

VirusTotal

66/66 vendors flagged this plugin as clean.

View on VirusTotal