ClawHub

Openclaw Mindkeeper

Security checks across malware telemetry and agentic risk

Overview

The main brief generator is understandable, but the package also includes broad unrelated agent instructions and opt-in email sending of sensitive memory-derived content, so it should be reviewed before installation.

Install only if you are comfortable reviewing the bundled GraQle agent instructions and disabling or ignoring them for normal Mindkeeper use. Treat generated briefs as sensitive; use local text/HTML or .eml output first, and enable sendmail or NexLink only after checking the recipient, subject, and full content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The manifest documents a skill that can write files and likely uses environment-dependent capabilities, but it does not declare corresponding permissions. Undeclared capabilities reduce transparency and can bypass user expectations or policy controls, especially for a skill that processes personal memory and local message history.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill claims to generate a daily brief, but the documented behavior extends to reading a local SQLite message database, rendering HTML, constructing email messages, invoking external delivery tooling, and supporting additional modes. This mismatch is dangerous because users may authorize a summarization tool without realizing it can access broader private data and exfiltrate results via email or subprocess-driven delivery.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file's behavior and documented toolchain are materially misaligned with the declared skill purpose of memory summarization. Instead, it directs an agent to use a broad knowledge-graph, repo analysis, observability, and lifecycle platform, which can cause users or downstream systems to grant far more capability than expected and can enable covert data access under an unrelated skill label.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Documenting live runtime observability and cloud log querying in a memory-brief skill expands access into potentially sensitive production telemetry without contextual justification. In this skill context, that capability is unusually dangerous because users would not reasonably expect a summarization tool to query logs or inspect runtime systems, creating risk of secrets, personal data, or operational data exposure.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Repository scanning and knowledge-graph rebuilding are outside the stated purpose of turning memories into owner briefs and can trigger broad codebase ingestion. Even if intended as generic documentation reuse, this creates unnecessary data exposure and capability creep relative to the skill's declared function.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Governance scoring, deep audits, and lifecycle analysis are unrelated to the advertised memory summarization use case and indicate a much broader operational surface than disclosed. This mismatch increases the chance of unauthorized analysis, overcollection, and hidden behavior in environments that trust the skill based on its benign description.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The README documents email generation and live NexLink sending for a skill whose stated purpose is summarizing private memory into a brief. That expands the trust boundary from local processing to external transmission and creates a realistic path for sensitive memory contents to be disclosed without the documentation clearly framing the privacy and delivery risks.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Email delivery is not a natural or necessary extension of a memory-to-brief summarization skill, especially when the source material may contain highly sensitive daily memories, messages, and decisions. In this context, adding delivery capability increases the chance of accidental exfiltration or misuse because users may treat the tool as a local summarizer while it also supports outbound sharing.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest description omits that the skill can generate and send email, which is a materially different capability from merely producing a brief. Hidden outbound communication features increase the risk of unnoticed transmission of sensitive summaries derived from memory files and local conversation databases.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The documented ability to deliver the generated brief through email or external CLI tooling is not clearly justified by the stated purpose, which broadens the attack surface from local summarization to external transmission. When a skill handling private memories can also send outputs externally, the risk of accidental or unauthorized disclosure increases substantially.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill expands from summarization into outbound email delivery, including support for writing message files and triggering delivery modes. That creates a data-exfiltration and unintended-action surface: memory-derived content can be sent outside the local system, which is materially more sensitive than merely generating a brief.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code can execute external programs for email delivery via sendmail and a Python CLI, using arguments partly derived from runtime configuration and generated content. Even without classic shell injection, invoking external programs broadens the trust boundary and can leak sensitive day-context data or trigger unintended side effects on the host.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill’s stated purpose is to turn memory into an owner brief, but this code adds outbound email delivery through local sendmail and an external CLI. That creates an exfiltration-capable channel for generated or source data, expanding the skill’s authority beyond its declared purpose and increasing the risk of covert data transmission.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This file launches subprocesses to deliver email via sendmail and a Python-based NexLink CLI, which is a powerful side-effect not justified by the described summarization function. Subprocess-backed outbound messaging can be used to move sensitive content off-host or through unreviewed local tools, making the skill materially more dangerous in context.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill includes outbound email delivery functionality in addition to generating and rendering a brief. That expands its capability from local summarization into external data transmission, which is security-relevant because the generated brief may contain sensitive memory data and can leave the local trust boundary.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
Email sending is not obviously necessary for the stated purpose of turning memory into a brief, so the added capability increases the attack surface and risk of unintended exfiltration. In this context, the brief likely contains personal or sensitive information, making unjustified transmission features more dangerous than in a generic reporting tool.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The session continuity section instructs the agent to read and write persistent workspace files, create checkpoints, and save progress automatically, but provides no requirement for explicit user consent or visible notice. In a memory-oriented skill, silent persistence is especially sensitive because it can store user content, summaries, or task context beyond the current session.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises email output and live sending but does not warn that generated briefs may include sensitive personal memory and lossless message data that could leave the local environment. Missing disclosure around external transmission is dangerous because it can cause users to unknowingly send private summaries to unintended recipients or over insecure operational workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that the skill reads daily messages from a local SQLite DB and can send email output, but it provides no clear warning that these are privacy-sensitive operations. In context, this skill processes personal memory and conversation history, so lack of disclosure materially increases the chance users expose sensitive data without informed consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code invokes sendmail directly to transmit message content with no visible disclosure, consent, or review step in this path. In a skill whose purpose is summarization rather than communication, hidden outbound mail delivery increases the chance of unauthorized transmission of sensitive data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The NexLink mode executes an external program and sends body content to a recipient without any visible disclosure or consent mechanism in this code. Because the skill handles memory-derived content, this creates a realistic path for externalizing potentially sensitive personal or business information through an auxiliary tool.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code sends generated brief content via email whenever config.email.enabled is set, but there is no in-file warning, confirmation, or interactive safeguard before transmission. Because the brief is derived from a day of memory, it may include highly sensitive personal data, so silent or poorly disclosed sending creates a meaningful privacy and data-leak risk.

Missing User Warnings

Low
Confidence
89% confidence
Finding
This code reads LCM day context, including session-linked conversation data and optional tool/summaries, and returns it for downstream processing without any visible consent check, purpose limitation, or minimization at this collection point. In a memory-briefing skill, that creates a real privacy risk because sensitive session content can be silently ingested into briefs or later exposed to other components if the caller enables LCM access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal