ClawHub

Triple Layer Memory

Security checks across malware telemetry and agentic risk

Overview

This memory skill is purpose-aligned, but it automatically stores and reuses conversation history and has weak channel-isolation controls, so users should review it carefully before installing.

Install only if you are comfortable with the agent keeping local long-term memory and reusing it automatically. Before enabling it, make memory persistence explicit and opt-in, redact secrets and personal data before writes, limit which files and channels can be loaded, verify or fix Mem0/file-layer channel isolation, and define how users can inspect, disable, expire, and delete stored memories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (20)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation describes a namespace scheme where child channels use `userId::channelKey`, while the boss channel uses the base `userId`, yet it also claims the boss can retrieve all channel memories. In most namespace/keyed-memory designs, using different user IDs creates isolated buckets, so the boss channel would not automatically see child-channel data; operators relying on this doc may deploy broken isolation or incorrect access assumptions, leading to privilege boundary failures or unavailable data.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The code promises that only the boss channel can read all memories, but `_normalize_channel` silently maps empty or unknown channels to `boss`. That means callers who omit `channel` or supply an unexpected workspace name can be elevated into global read scope, breaking the stated isolation boundary and potentially exposing all channel memory.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The file claims channel isolation, but write_meta_to_entry accepts any caller-supplied channel string and appends metadata without enforcing that the caller is authorized to write only to its own channel. In a multi-tenant memory system, this allows a caller to forge entries under another channel label, undermining integrity of the isolation model and potentially enabling cross-channel data poisoning or impersonation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly describes automatically summarizing conversations and writing them into persistent memory files, but it does not require clear user notice, consent, or controls over what data is persisted. In an agent environment, this can capture sensitive prompts, secrets, or personal data across sessions and expand the blast radius of any later disclosure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The startup workflow instructs the agent to automatically read SOUL.md, USER.md, recent logs, and core memory without any privacy notice or scoping checks. This creates a real risk of over-collection and unintended reuse of profile or historical conversation data in contexts where the user did not expect persistent cross-session recall.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function writes caller-controlled content such as summary, project, files, lessons, tags, and channel directly to a persistent log file with no consent check, privacy guard, or sanitization. In an agent setting, this can silently persist sensitive user data, secrets, or prompt content to disk, increasing the risk of unintended retention and later disclosure.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The script reads a configuration file from the user's home directory (~/.openclaw/openclaw.json) and extracts Discord channel identifiers without any notice, consent flow, or scoping controls. Even though the data accessed is limited and the apparent purpose is consistency checking, silently accessing user-scoped configuration can expose local environment details and normalize unexpected cross-boundary data access.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The script writes a persistence artifact (memory/consistency-report.json) containing channel ID comparison results without any user-facing disclosure. While the report stays in the workspace, it may retain sensitive identifiers or operational metadata that users did not expect to be stored, creating privacy and auditability concerns.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script persists LLM-generated session summaries to a memory file automatically, with no consent, notice, retention control, or filtering of potentially sensitive content. Because summaries are explicitly instructed to include decisions, configuration changes, paths, unresolved issues, and solutions, this can capture secrets or sensitive operational context and leave it on disk for later unintended access.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to automatically summarize conversation history and write it to a persistent memory file once token thresholds are reached, but it provides no user notice, consent flow, retention limit, or sensitivity filtering. This creates a privacy and data-governance risk because potentially sensitive user content may be stored unexpectedly and persist beyond the current session.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The session handoff logic automatically compresses the current session and saves handoff context when a [NEW_SESSION] marker is detected, again without warning the user that prior session content will be retained and reused. Because this is triggered by ordinary workflow text rather than an explicit storage consent step, it increases the chance of silent cross-session persistence of sensitive data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly instructs automatic summarization of conversation history and persistence to daily memory logs, but provides no user-facing notice, consent flow, or data-minimization guidance. This creates a real privacy/security risk because sensitive user disclosures may be retained across sessions without the user's awareness, increasing exposure if logs are later searched, reused, or exfiltrated.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The immediate-write workflow stores 'important' interactions to both persistent files and Mem0 across sessions, again without warning users that their content may be durably retained and semantically searchable. That combination materially increases privacy risk because information judged important by the system may include secrets, personal data, internal project details, or incident context that persists beyond the current session.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The startup flow directs the agent to automatically load recent logs, the core index, and namespace memory in new sessions without telling users that prior session data will be reused. This is dangerous because users may reasonably expect session separation, and automatic recall can surface old sensitive data into new contexts, potentially to the wrong task scope or audience if channel separation is imperfect.

Ssd 3

Medium
Confidence
96% confidence
Finding
Automatically loading user profile files and prior logs across sessions creates a natural-language data leakage path: sensitive information from one task, channel, or session can influence later responses or be surfaced to the wrong context. The skill increases this risk by encouraging broad startup reads and task-based memory retrieval without explicit confidentiality boundaries beyond a partial channel model.

Ssd 3

Medium
Confidence
97% confidence
Finding
The heartbeat flow directs the model to summarize dialogue history and persist it automatically into memory files whenever token thresholds are hit. This is dangerous because it can silently store sensitive discussion content precisely when context is large and likely to contain more private or security-relevant material.

Ssd 3

Medium
Confidence
96% confidence
Finding
The architecture directs persistent storage of detailed interaction logs at high frequency, which creates a direct risk of retaining sensitive user-provided data beyond the original conversation. In a memory system skill, this context makes the issue more dangerous because the whole feature set is designed for long-lived retrieval and reuse, increasing the blast radius of any captured secrets or personal information.

Ssd 3

Medium
Confidence
97% confidence
Finding
Session compression requires summarizing conversation history and writing it to persistent memory, which can preserve sensitive disclosures even after the original context is compressed away. This is risky because summaries often remove nuance while retaining the sensitive substance, making private information easier to persist, search, and repurpose across sessions.

Ssd 3

Medium
Confidence
98% confidence
Finding
The immediate memory-write workflow persists important information along with metadata to both logs and vector memory, increasing the likelihood that sensitive content becomes durable, searchable, and reusable. The skill context amplifies the risk because metadata such as tags, channel, and importance can make sensitive records easier to locate and correlate later.

Ssd 3

Medium
Confidence
96% confidence
Finding
The cross-session continuity design tells the agent to read recent logs and load prior memory automatically, enabling reuse of previously captured user data in later sessions. This is a real vulnerability because it can unintentionally reveal or act on stale, sensitive, or context-inappropriate information, especially if namespace isolation, channel routing, or project scoping is ever misconfigured.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal