ClawHub

Openclaw Memory Stack

Security checks across malware telemetry and agentic risk

Overview

This memory skill has a plausible purpose, but it needs Review because its local-only messaging understates cloud paths, installer changes, automatic capture, and local command-execution risk.

Install only after reviewing the installer and configuration changes. Use it on machines where automatic conversation memory, OpenClaw memory-provider takeover, local command execution, and dependency bootstrapping are acceptable. Remove OPENAI_API_KEY/OPENCLAW_LLM_API_KEY or configure a local-only endpoint if sensitive content should not leave the machine, and treat the optional Vertex/GCP backend as cloud-backed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (54)

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The skill markets itself as local/offline and 'no cloud API,' yet the documented behavior includes remote update checks, optional cloud LLM use, automatic config modification, and installer-driven changes to the host OpenClaw setup. This mismatch is dangerous because users may grant trust and install the skill under a false privacy/safety assumption, increasing the chance of unintended network exposure or broader system modification.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The README makes materially conflicting licensing claims: it says the project is MIT licensed/free in multiple places, but the License section says it is under a commercial license. This can mislead users into installing or redistributing the skill under false assumptions, creating legal, supply-chain, and trust risks for teams that rely on the documentation for approval and deployment decisions.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The installer header claims it does not touch any repository or project directory, but the script also modifies shell profiles, installs system packages, writes OpenClaw configuration, creates symlinks, and manages extension/plugin state outside the stated install root. This is dangerous because users may consent based on misleading scope and unintentionally allow broader persistence and configuration changes than advertised.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This installer goes beyond copying a local memory plugin by auto-installing git, uv, bun, python venv support, and invoking package-manager or remote bootstrap scripts. In a security-sensitive agent ecosystem, expanding the installer's authority to install unrelated tooling increases attack surface and can result in unexpected privileged changes.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The plugin advertises itself as local/no-cloud, but the code can perform remote update checks and may send conversation text to a user-configured external LLM for fact extraction. This creates a security and privacy mismatch: users may trust the plugin with sensitive memory data under a false assumption that no network transmission occurs.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The top-level security comments assert that all network endpoints and permissions are declared, but the code also imports and invokes update-check logic that appears outside those stated endpoints. Misleading security documentation is dangerous because reviewers and users may make trust decisions based on incomplete network disclosure.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata promises 'No cloud API,' but this module defaults to and can automatically use OpenAI's remote API via both configured keys and environment-variable fallback. That means prompts and embedding input may leave the local machine, creating a clear trust and data-handling mismatch for a memory plugin that may process sensitive user content.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Reading OPENAI_API_KEY enables implicit activation of a remote OpenAI provider even when the user did not explicitly configure this plugin for cloud use. In the context of a 'local memory plugin,' silently consuming a broadly scoped environment credential can cause unexpected external transmission of memory content and prompts.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The comment claims the env-var fallback sends the API key only to a user-configured endpoint, but the implementation hardcodes https://api.openai.com/v1. This mismatch is security-relevant because it can mislead reviewers and users about where sensitive prompts, embeddings, and credentials are sent, reducing informed consent and increasing the chance of unintended data egress.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata promises 'No cloud API', but this module defines a default OpenAI endpoint and can automatically fall back to it when an environment key is present. That creates undisclosed external data transmission risk: prompts and embedded text may be sent off-host, violating user expectations and potentially exposing sensitive memory content.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The comment claims the environment-key fallback sends data only to a user-configured endpoint, but the code hardcodes OpenAI instead. This mismatch is dangerous because operators may rely on the comment and product description, while the implementation silently routes prompts to a third-party service.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill metadata explicitly advertises 'No cloud API', yet this module performs a network request to a remote service for update checks. Even though the payload appears limited to the current version, this creates undisclosed outbound connectivity, leaks IP/network metadata, and violates the stated trust boundary for a supposedly local-only memory plugin.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The health check reads probe strings from capability.json and executes them with `bash -c`, which creates a command-execution path driven by external file content rather than hardcoded logic. If capability.json is modified by a malicious package, compromised install, or writable local actor, running `health` will execute arbitrary shell commands under the user's privileges, expanding the skill from a memory wrapper into a general command runner.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The health check reads probe strings from capability.json and executes them with `bash -c`, turning configuration data into code. If capability.json is modified by a malicious package, update process, or local attacker, arbitrary shell commands will run during a routine health check, enabling command execution under the user's account.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Dynamic shell execution from capability.json is unjustified for a memory backend and creates a direct command-injection surface. Because the script trusts file contents as executable shell, any attacker who can alter that file can achieve arbitrary code execution, and even legitimate complexity increases the chance of unsafe probe payloads.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The health check reads probe strings from capability.json and executes them with `bash -c`, which turns a data file into a code execution source. If capability.json is modified by a package update, local attacker, or compromised distribution path, invoking `health` provides arbitrary shell command execution under the current user, exceeding the stated memory-backend function.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The health-check path reads strings from capability.json and executes them with `bash -c`, which allows arbitrary shell execution if that JSON is modified or supplied by an untrusted package update. In a memory/search wrapper, this is broader than necessary capability and creates a clear code-execution surface during what appears to be a benign diagnostic operation.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The comment suggests the code merely reads probe metadata from capability.json, but the implementation turns those values into shell commands and runs them. This mismatch increases risk because reviewers and users may underestimate the execution behavior, making unsafe command execution more likely to slip through deployment and trust boundaries.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The health check reads probe strings from capability.json and executes them via `bash -c`, turning a data file into executable code. If capability.json is modified by an attacker or an untrusted package update, invoking `health` results in arbitrary command execution, which is beyond the expected scope of a memory backend and significantly expands the attack surface.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The capability metadata explicitly requires external Google Cloud services and credentials, which conflicts with the skill's stated description of being a local, no-cloud memory plugin. This mismatch is dangerous because it can mislead operators into granting cloud access and sending potentially sensitive memory data to external infrastructure they did not expect to use.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The capability performs authenticated checks against Google Cloud via application-default credentials and plugin execution, introducing external service interaction for a skill marketed as local memory functionality. This creates risk of unintended credential use, external data exposure, and deployment in environments that prohibit cloud egress or secret consumption.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The wrapper directly delegates memory operations to a Vertex AI plugin even though the skill metadata markets the memory stack as local and 'no cloud API.' This creates a material trust and data-boundary violation: prompts, memories, and possibly sensitive user context may be transmitted to a remote backend without informed consent.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The adapter accepts arbitrary queries and routes them to the Vertex backend while presenting itself as part of the local memory stack. In the context of a memory plugin, queries can contain sensitive conversation history, secrets, or personal data, so hidden routing to a cloud service substantially increases privacy and exfiltration risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script pipes network-fetched installer content from bun.sh and astral.sh directly into a shell without an explicit user warning or confirmation. Even over HTTPS, this gives remote infrastructure immediate code execution on the host and removes the user's chance to inspect what will run.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The installer appends PATH changes to ~/.bashrc or ~/.zshrc automatically, creating persistent shell changes without prior warning. Silent profile modification is risky because it affects future sessions and can alter command resolution in ways the user did not knowingly approve.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal