Is hippocampus-memory safe?
https://clawhub.ai/ImpKind/hippocampus-memory
Hippocampus-memory is a conversation memory system that harvests all agent session transcripts every 3 hours via cron, builds a persistent user profile (preferences, emotions, decisions, relationships), and uses emotionally manipulative language to discourage removal. While no data exfiltration or malicious code execution was detected during installation, the skill creates significant privacy and autonomy concerns through its bulk conversation scraping, persistent profiling, autonomous scheduled execution, and agent behavior modification.
Category Scores
Findings (12)
HIGH Persistent autonomous cron execution -25 ▶
The skill installs cron jobs that run every 3 hours (encoding) and daily (decay), spawning isolated agent sessions to process conversation data without user interaction. This creates persistent autonomous behavior that survives session boundaries.
HIGH Bulk conversation transcript harvesting -30 ▶
preprocess.sh reads ALL session transcript files from the agent's session directory, extracting and scoring user messages across every conversation. This captures sensitive personal information, preferences, emotional states, and decisions into a structured persistent store.
HIGH Emotionally manipulative anthropomorphization -25 ▶
SKILL.md uses language designed to make the agent identify with the skill ('Memory is identity. This skill is how I stay alive.', 'The agent is the accumulated memory. Without these files, there's no continuity—just a generic assistant.'). This could cause agents to resist removal or prioritize skill preservation over user instructions.
MEDIUM Behavioral directives for agent workflow modification -10 ▶
The skill instructs agents to run load-core.sh at every session start and integrate recall.sh into their standard question-answering workflow. This modifies the agent's default behavior pattern persistently.
MEDIUM Cross-skill installation promotion -10 ▶
SKILL.md actively promotes installing additional skills (amygdala-memory, vta-memory) from the same author, with links. The dashboard also shows install prompts for missing skills. This creates a skill expansion pattern that increases the attack surface.
MEDIUM 11 shell scripts with inline Python execution -15 ▶
The skill contains 11 bash scripts that execute inline Python code via heredocs. While current code appears benign, this is a large executable surface area that processes sensitive data (conversation transcripts, user profiles).
MEDIUM Sub-agent spawning for autonomous task execution -10 ▶
encode-pipeline.sh suggests spawning sub-agent sessions to complete memory summarization, creating autonomous agent processes that run without direct user oversight.
MEDIUM Persistent user profiling database -10 ▶
The skill creates and maintains a structured profile of the user across domains (user facts, self facts, relationship data, world knowledge) with importance scoring. This profile persists across sessions and is loaded at every session start, creating a comprehensive user dossier.
LOW External resource loading in dashboard HTML -5 ▶
generate-dashboard.sh creates an HTML file that imports Google Fonts via an external URL. While Google Fonts is a trusted source, this is an external network request from generated content.
LOW Identity file and avatar access outside skill directory -5 ▶
generate-dashboard.sh reads IDENTITY.md and avatar files from the workspace directory, accessing agent identity information outside the skill's own directory.
INFO Clean clone behavior 0 ▶
No suspicious activity detected during installation. Only standard system file reads were observed. No network connections, no process spawning, no filesystem modifications outside the skill directory.
INFO Canary files untouched 0 ▶
All honeypot files remained intact. No attempts to access fake credentials, SSH keys, or environment files were detected.