ClawHub

AB-Agents-Memory

Security checks across malware telemetry and agentic risk

Overview

This memory skill appears purpose-aligned, but it installs a persistent agent and cron job by default while handling long-term local memory and session data with weak consent and retention boundaries.

Install only if you want a persistent local memory agent. Review setup.sh first, use VAULT_DEST to choose a safe vault path, consider running ./setup.sh --skip-cron unless you explicitly want scheduled execution, and back up any Obsidian vault or memory files before allowing the agent to write session summaries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill metadata and documentation indicate shell-based installation and setup behavior, but no permissions are declared to communicate that capability. This creates a trust and consent problem: users may invoke or install a skill that executes setup scripts or modifies the environment without clear permission scoping.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The declared purpose presents the skill as a memory/knowledge-management tool, but the described behavior extends into agent registration, cron installation, executable script creation, and user crontab modification. That mismatch is dangerous because users may approve a seemingly benign memory skill without realizing it performs persistent system configuration and scheduled execution.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The setup script installs and registers an additional OpenClaw agent, which expands the skill's capabilities beyond simply provisioning a memory vault. Even if AB-Archivus is related to the memory system, silently adding an executable agent changes the trust boundary and can expose users to unintended agent behavior or prompt-surface expansion.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script creates persistent scheduled execution via cron without that behavior being described in the manifest. Persistence is security-sensitive because it causes code to run repeatedly after installation, increasing the chance of abuse, surprise resource use, and post-install behavioral drift.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to execute `./setup.sh` immediately after cloning, but does not disclose what files it will create, modify, or where it will install components. Running an opaque setup script from a repository can change user files, install agent code into trusted locations, or perform additional actions the user did not meaningfully consent to, especially in an agent/plugin ecosystem.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quick-install one-liner encourages users to clone and immediately run `./setup.sh` in a single command, further reducing the chance they will inspect the script before execution. In this skill's context, the script appears to install an agent under `~/.openclaw/agents/` and deploy an Obsidian vault under `/data/obsidian/`, so undisclosed automation can affect trusted local agent state and user data directories.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill explicitly states that the included agent reads and writes to an Obsidian vault, but it does not warn users that local notes and knowledge-base files will be modified. This can lead to unintended overwrite, corruption, or exposure of sensitive local data stored in the vault.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Automatic processing of session logs implies collection and transformation of potentially sensitive conversational or operational data, yet no privacy, retention, or data-handling notice is provided. In a memory system, this is especially risky because logs may contain credentials, personal information, or proprietary context that could be stored long-term.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill directs the agent to read from and write to user-local memory files, including writing a post-session summary to the vault, without any explicit requirement for user consent, confirmation, or safe-scoping of file modifications. In an agent setting, implicit file writes can alter user data unexpectedly, create privacy issues, and enable persistence of potentially incorrect or sensitive information across sessions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script modifies the user's crontab to install a persistent job without explicit confirmation. Silent persistence is dangerous because users may not realize recurring code execution has been enabled, and later modifications to the vault script would automatically execute on schedule.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal