ClawHub

Openclaw Memory

Security checks across malware telemetry and agentic risk

Overview

This skill is broadly a real memory tool, but it needs Review because it stores sensitive conversation data, exposes unauthenticated memory/payment APIs, contradicts its privacy claims, and encourages agent-initiated spending.

Install only if you are comfortable with persistent capture and reuse of prompts/responses. Use local embeddings unless you explicitly want conversation-derived text sent to OpenAI, bind the dashboard to a trusted local-only interface or add authentication, do not give agents funded wallets or autonomous spending authority without explicit limits, and treat Pro activation as insecure until real on-chain payment verification is implemented.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (31)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill advertises capabilities that imply shell, environment, and network access, but the manifest declares no permissions. This creates a transparency and consent gap: users may invoke a skill that can access sensitive local data or make outbound/payment-related requests without an explicit permission declaration, which is especially concerning given the described dashboard and x402 subscription flow.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The document presents a payment flow as 'verification' while explicitly admitting the MVP only trusts a user-supplied transaction hash instead of validating settlement on-chain. This enables trivial license fraud: an attacker can submit arbitrary or unrelated tx hashes and potentially obtain paid features without paying, undermining access control and any downstream business logic tied to subscription status.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README makes a broad privacy claim that 'nothing [is] sent to external servers' while elsewhere documenting OpenAI embeddings and x402 subscription/verification flows that necessarily require outbound network requests. This mismatch can mislead users into enabling the tool under false assumptions and may cause unintended disclosure of conversation-derived memory content or payment metadata.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The payment subscription, payment verification, and license-checking endpoints are exposed without any authentication or authorization checks. An attacker can potentially create payment requests, probe license status for arbitrary wallets, and attempt unauthorized activation or abuse of billing flows, which is especially dangerous because this is a memory service with unrelated financial functionality exposed over HTTP.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
`getBySession(sessionId)` retrieves memories using only a session identifier and does not scope the query to an `agent_wallet` or perform any ownership/authorization check. If session IDs are guessable, leaked, or reused across tenants, a caller could read another agent's conversation history, making this a cross-tenant data exposure issue in a memory system that otherwise appears agent-scoped.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The payment flow claims to verify blockchain payments, but the implementation ultimately accepts any transaction hash longer than 32 characters and then marks the request completed and grants a paid Pro license. This allows an attacker to obtain unlimited-memory paid access without actually making any payment, making the payment gate effectively bypassable.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation says on-chain verification would occur, but the current stub returns true for any long-looking hash. Because this function is used as the trust decision for payment completion, arbitrary input can be treated as a successful payment and unlock paid features.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The documentation directly encourages autonomous agents to upgrade and pay without requiring explicit human/operator approval or preconfigured spending authorization. In agentic environments, this can normalize unsafe self-directed spending behavior and lead to unauthorized or unintended financial transactions if an agent follows the guidance literally.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The primary payment instructions invite agents to make blockchain payments before prominently warning that transactions are irreversible and non-refundable. This increases the chance of unsafe payment decisions by agents or operators who may act on the early call to action without seeing the risks until much later in the document.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly states that completed interactions are analyzed and memories are automatically extracted and stored, but it provides no indication of user consent, notice, opt-out controls, or data minimization. In a memory system that persists conversational facts and preferences, this creates a real privacy risk because sensitive user data may be retained without the user understanding that storage is occurring.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill says memories are injected into every request transparently, which means prior conversation data is silently reused in future prompts. Without prominent disclosure and controls, users and operators may unknowingly expose historical sensitive data to downstream model calls or plugins, increasing privacy and contextual data leakage risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The summary explicitly describes `beforeRequest` injecting memories and `afterRequest` extracting and storing memories from request/response data, but it provides no mention of user notice, consent, retention disclosure, or controls for sensitive content. In a memory system that persists conversational data, this creates a real privacy and compliance risk because operators may deploy automatic collection of potentially sensitive user data without transparency or minimization safeguards.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes automatic extraction of facts, preferences, patterns, and conversation history without an upfront warning that sensitive user content may be persistently captured. In a memory tool, this creates real privacy and data-minimization risk because users may unknowingly store secrets, personal data, or regulated information across sessions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Documenting automatic hooks into every request and response without a clear warning understates that the tool performs system-wide monitoring of agent interactions. That behavior materially increases exposure because all prompts and responses may be observed, processed, and stored, including credentials and private business context.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Presenting OpenAI embeddings as a default option without a clear warning means users may not realize conversation content or extracted memories could be transmitted to a third-party provider. Because embeddings are generated from user text, this can expose sensitive or proprietary data outside the local environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes automatic extraction of facts, preferences, patterns, and conversation history with persistent retention, but does not clearly warn users about sensitive-data capture, retention periods, or the risk of storing secrets and personal information. Because this is a memory skill whose core function is long-term collection, the context makes the omission more dangerous rather than less dangerous.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Automatically injecting stored memories into future requests can expose prior sensitive content to later prompts, tools, or models and can also create prompt-contamination risks if untrusted or incorrect memories are reintroduced. In a cross-session memory system, this behavior can silently affect future agent decisions and leak data across contexts unless users are clearly warned and given control.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This hook analyzes full request/response content and persists derived 'memories' tied to an agent wallet and session without any visible consent, notice, or opt-in/opt-out control in the code path. That creates a privacy and data-governance risk because sensitive personal data, preferences, or secrets disclosed in conversation may be retained beyond the immediate interaction and later reused, exposed, or mishandled.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The hook sends the full user prompt/query/message to a semantic retriever and then injects retrieved memories back into request context without any disclosure, consent, or minimization visible in this file. This creates a privacy and data-handling risk because sensitive user input may be processed for memory lookup and can cause prior sensitive memories to be surfaced into later requests unexpectedly.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code sends raw memory content to an external embedding provider via `this.embeddingProvider.generate(text)` with no filtering, minimization, consent, or policy enforcement visible in this component. Because the analyzer extracts user statements, preferences, and response content into long-lived memories, this creates a real privacy and data-handling risk if sensitive content is embedded by a third-party service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The delete command permanently removes a memory immediately after the user supplies a wallet and memory ID, with no confirmation prompt, dry-run, or safety flag. In an agent-memory context, accidental or scripted misuse can irreversibly destroy state that may affect future agent behavior, auditing, and recovery.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The OpenAI provider transmits supplied text to a third-party API, which can expose sensitive memory content, prompts, or user data if callers are unaware that embedding generation is remote. In a memory system, this is more dangerous because stored content may include long-lived private data, increasing privacy and compliance risk when sent off-box without explicit disclosure or consent controls.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code persistently stores derived memories from user prompts and agent responses automatically after each request, without any visible consent gate, minimization, or sensitivity filtering in this file. In a memory skill, this context makes the issue more dangerous because the component is specifically designed to retain conversational data, which may include secrets, personal data, or regulated content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code configures an external embedding provider and later generates embeddings from stored content, meaning user data may be transmitted to a third-party service without any visible disclosure or consent mechanism here. Because this is a memory system that processes prompts and responses, the likelihood of sensitive conversational data being sent off-box is significant.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The retriever records raw search queries and identifiers such as `query`, `sessionId`, and type/session relation strings into persistent access logs. Because queries and session identifiers may contain sensitive user data, secrets, or correlatable metadata, this creates unnecessary secondary storage of sensitive information and increases privacy and breach impact if logs are accessed or retained too broadly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal