ClawHub

Mem0 Tech Tree Memory

Security checks across malware telemetry and agentic risk

Overview

This is a local memory tool, but it ships with preloaded personal and environment-specific memories that are not clearly disclosed as sample data.

Review tree.json before installing. Clear or replace the bundled memories if they do not describe your own environment, avoid storing tokens or private account details, and back up tree.json before using the clear command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The clear() method irreversibly resets all stored memory and immediately writes the empty structure to disk, with no confirmation, authorization check, soft-delete, or backup. In an agent skill context, any caller that can invoke this command can cause complete loss of persisted user data, making accidental or malicious data destruction straightforward.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill stores arbitrary user-provided content and later returns node content, previews, dependencies, synergies, and catalog matches verbatim across multiple retrieval functions. Without any access control, redaction, tenant isolation, or sensitivity filtering, previously stored personal or confidential data can be disclosed to any caller able to query the memory store.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "OpenClaw User",
  "license": "MIT",
  "dependencies": {
    "mem0ai": "^1.0.8"
  }
}
Confidence
93% confidence
Finding
"mem0ai": "^1.0.8"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal