ClawHub

memory-lancedb-pro

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its memory-plugin setup purpose, but it asks users to expose API keys in chat and recommends running an unverified remote installer.

Review before installing. Use environment variables or a secret manager instead of pasting API keys into chat, avoid inline secrets in openclaw.json, inspect and pin any remote setup script before running it, and enable autoCapture/autoRecall only for scopes where persistent conversation memory is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs the agent/user to fetch and execute a remote shell script directly from GitHub via curl | bash. That creates an unnecessary remote code execution path for a configuration/install skill and bypasses review of what will run at execution time, making supply-chain compromise or malicious script changes immediately impactful.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The skill description says it should be used when working with a very broad set of topics including installation, configuration, all plugin features, and multiple MCP tools. Broad activation language increases the chance the skill is pulled into unrelated contexts, which can inject unnecessary operational guidance or memory-tool instructions into prompts where they are not needed. In an agent setting, overbroad triggering can expand the attack surface for prompt injection and cause unintended tool-oriented behavior.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The automatic trigger list includes multiple ambiguous phrases and aliases that are not tightly constrained, such as generic feature names and broad operational language. In a system that auto-loads skills into context, this can cause unintended activation during unrelated conversations, exposing the model to unnecessary instructions about configuration, memory operations, or self-improvement workflows. That makes prompt-scope contamination more likely and increases the chance of unsafe or irrelevant tool use guidance.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow explicitly asks users to paste live API keys into the conversation, which exposes credentials to the agent runtime, logs, transcripts, and any downstream telemetry. For a setup skill, collecting secrets in-chat is unnecessary and materially increases the chance of credential leakage.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill promotes automatic memory capture and recall as recommended behavior without an upfront privacy notice, even though the plugin persists conversation-derived data. Users may enable durable storage of sensitive chat content without informed consent or understanding of retention/scope implications.

Ssd 3

High
Confidence
99% confidence
Finding
The skill not only requests pasted API keys, but normalizes handling live secrets through the chat workflow. This materially increases secret exposure risk through transcript retention, debugging logs, screenshots, or model-provider storage and is a genuine secret-handling vulnerability.

Ssd 3

High
Confidence
98% confidence
Finding
Suggesting users temporarily paste environment-backed keys for verification defeats the safety benefit of env vars and encourages disclosure of production credentials. A transient paste is still a leak if chat history, logs, or observability systems retain it.

Ssd 3

High
Confidence
99% confidence
Finding
Allowing actual API keys to be inserted inline into generated config files causes secrets to be written to disk in plaintext, increasing risk of accidental commit, backup exposure, or local compromise. Combined with asking users to paste keys, this creates a direct path from chat disclosure to insecure persistent storage.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal