ClawHub

Memory Archiver

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real memory-management skill, but it automatically installs persistent hooks and scheduled jobs that capture, store, and replay user conversation content with limited user control.

Install only if you want automatic long-term memory for this OpenClaw workspace. Before using it with sensitive chats, review where it stores memory, how to disable the hook, and how to delete stored files; avoid credentials, private personal data, or confidential project details unless you are comfortable with them being persisted and possibly recalled later.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (26)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation describes executable installation scripts, hooks, cron jobs, and environment-aware behavior, but the metadata shown here does not declare corresponding permissions. Undeclared capabilities weaken user consent and security review because the skill can modify runtime behavior and access environment-derived paths without transparent authorization boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The stated purpose is memory management, but the documentation reveals broader behavior: automatic hook deployment, cron registration, bootstrap execution, session-state mutation, archival, cleanup, and index rebuilding. This mismatch is dangerous because users may install a seemingly narrow skill while granting a component that persistently alters system behavior and files beyond what the description implies.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The bootstrap hook invokes an external shell via `execAsync`, which gives the skill command-execution capability during agent startup. Although the current path is hardcoded, the executed script lives under a user-writable workspace location, so a modified or replaced `memory-loader.js` file would run automatically at bootstrap with the agent's privileges, expanding this beyond simple memory loading into arbitrary code execution.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The installer modifies persistent OpenClaw state by registering a hook and creating scheduled cron jobs, which extends beyond simple local file setup. Even if intended for legitimate memory automation, silently installing background behaviors increases the attack surface, can trigger unexpected autonomous actions, and gives the skill ongoing execution capabilities after installation.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script executes privileged OpenClaw CLI operations that inspect and modify hook and scheduler state, which are control-plane actions rather than ordinary memory archiving. A skill with automatic command execution and persistent scheduler changes can be abused to establish durable behavior or alter the agent environment in ways the user may not expect.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill describes automatic hook-triggered memory search, extraction, note tracking, and prompt-context injection, but does not present a clear upfront privacy warning or consent flow. In a memory-management skill, automatic capture of conversation content is especially sensitive because it can persist private or confidential data without users fully understanding when retention occurs.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The documented aging cleanup, quantity limits, deduplication, and removal of old memory content imply deletion or destructive rewriting, yet no explicit retention or data-loss warning is given. This is risky because users may rely on the memory store as durable history and lose important records through automated maintenance they did not knowingly authorize.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The installation flow automatically deploys hooks, registers them with the platform, adds cron tasks, and modifies workspace state, but the instructions do not clearly warn about these persistent system changes. Automatic post-install persistence increases risk because it extends execution beyond manual invocation and may surprise users or administrators reviewing the skill superficially.

Vague Triggers

High
Confidence
95% confidence
Finding
The hook is configured on every `message:received` event and its keyword list includes extremely common terms such as 'how', 'why', 'config', and general technology names, so ordinary conversation will frequently trigger memory operations without meaningful user intent. In this skill's context, broad activation is especially dangerous because downstream modules perform automatic search, extraction, and note persistence, increasing the chance of silent collection and retention of sensitive content.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation states that every user message may be automatically extracted into persistent memory categories and session notes, but it does not warn users or obtain consent before storing potentially sensitive information long-term. This creates a privacy and data-governance risk because users may disclose credentials, personal data, or confidential project details assuming the chat is ephemeral.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The hook maintains persistent session notes derived from live conversation without any visible disclosure or consent mechanism. In a memory-management skill, silently retaining conversational content increases privacy risk because users may reveal sensitive personal, project, or credential-related information expecting ephemeral handling.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
All messages are forwarded to a background memory-extraction process with no user warning or consent. This creates undisclosed automated analysis and persistent storage risk, especially because extraction may classify and preserve personal preferences, identity details, or project information beyond the current session.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README documents automatic searching of memory based on user messages, but provides no privacy notice, consent model, or explanation of what user content is inspected and where results are stored or exposed. In a memory-management skill, this increases the chance of silent processing of sensitive user inputs and unintended disclosure of personal or confidential context through automated retrieval.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation describes deduplication, aging, and cleanup operations that delete or prune memory content, including automatic removal of duplicate and older entries, without a prominent destructive-action warning. For a system managing user memory and notes, this can lead to unexpected loss of data, irreversible deletions, and unsafe operation by users who may not realize these scripts modify persistent memory stores.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The search helpers read arbitrary memory files from the workspace and print matched surrounding lines directly to stdout, which can disclose sensitive prior conversation content, secrets, or personal data to any caller who triggers a search. In a memory-management skill, this behavior is core functionality, but the lack of consent, redaction, or access controls makes unintended privacy exposure a real issue rather than a false positive.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
When session state is missing, the script automatically launches memory-loader.js as a subprocess without informing the caller or requiring confirmation. Although the path is fixed to a sibling script rather than user-controlled shell input, this still creates implicit execution of additional code with the current user's privileges and can surprise users in a security-sensitive memory tool.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
Hard-coding the Asia/Shanghai timezone causes scheduled tasks to run at times that may not match the user's local expectations, which can lead to unintended background activity and make automated behavior less predictable. In a skill that already installs persistent cron jobs, fixed timezone assumptions further reduce user control and transparency.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script performs irreversible file deletion with fs.unlinkSync() as soon as it is run without --dry-run, and there is no interactive confirmation, trash/quarantine step, or scope validation beyond fixed target directories. In an agent skill context, this is risky because automated or unintended invocation can silently delete user memory files, causing data loss even if the maintenance goal itself is legitimate.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script persists arbitrary extracted conversation content to long-term storage under the user's home directory without any consent prompt, sensitivity screening, or redaction. In a memory-management skill, this materially increases the risk of storing secrets, personal data, tokens, or confidential project content beyond the user's expectations, making later disclosure or unintended reuse more likely.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This script aggregates multiple memory sources, including long-term, daily, and weekly notes, into a single SESSION-STATE.md file without any consent prompt, minimization, or access control. Consolidating previously separated personal/session data into one easy-to-read cache increases exposure risk if other tools, agents, or users can read the workspace, and may surface sensitive content more broadly than intended.

Ssd 3

Medium
Confidence
97% confidence
Finding
The hook explicitly describes automatic extraction and persistence from each user message into long-term memory and session notes, which can capture secrets, personal information, internal code details, and other sensitive material without contextual minimization. In a memory-management skill this behavior is core functionality, but that context does not make it safe; it makes the consequences more serious because retention is intentional and systematic.

Ssd 3

Medium
Confidence
97% confidence
Finding
The file explicitly describes automatic memory search, extraction, and session-note maintenance across incoming messages, establishing broad default retention and reuse of conversation content. In this context, the danger is elevated because the skill is specifically designed to persist and replay user-derived data, which can expose sensitive information across future interactions.

Ssd 3

Medium
Confidence
95% confidence
Finding
Retrieved memory is automatically injected back into the live conversation based on current user input. This can surface prior sensitive data into an unrelated context, leak stored information to anyone viewing the conversation, and amplify prompt-context contamination if stored memories contain unsafe or adversarial content.

Ssd 3

Medium
Confidence
98% confidence
Finding
The hook sends every incoming user message to background extraction unconditionally. Because this is automatic and comprehensive, it normalizes persistent analysis of potentially sensitive conversations and increases the blast radius of accidental secret capture or privacy-policy violations.

Ssd 3

Medium
Confidence
97% confidence
Finding
Session tracking derives topics from user messages and creates ongoing persistent notes, effectively turning routine conversation into durable logs. This is risky because even partial message-derived topics or note updates can reveal sensitive intent, identities, or project details over time, especially in a memory skill that centralizes such data.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal