ClawHub

TriCore

Security checks across malware telemetry and agentic risk

Overview

TriCore is a real memory framework, but it changes agent policy/configuration and includes self-modifying workflows that require careful review before installation.

Install only if you intentionally want TriCore to act as a workspace-level memory and behavior framework. Review the POLICY.md diff, the OpenClaw compaction prompt change, MEMORY.md migration behavior, and the installed self-evolution skill first; use a test workspace or manual install with backups, and disable or remove self-evolution unless you explicitly want web-informed code/configuration changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (24)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The document imposes an absolute rule that all memory writes must go through memctl.py, yet its own installation flow performs direct filesystem and policy modifications outside that interface. This kind of self-contradictory control plane weakens operator trust, creates bypass expectations, and can normalize privileged out-of-band changes to POLICY.md and MEMORY.md that the supposed guardrails do not govern.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The skill expands into external browsing and web/search tooling, despite being presented as a deterministic memory and cognitive framework. That broadens the attack surface by encouraging network-capable behavior, ingestion of untrusted content, and potential privilege escalation through self-evolution workflows that are only loosely tied to the declared purpose.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill declares Write and Edit as allowed tools while only documenting that agents must not manually modify WORKING.md or MEMORY.md. That restriction is advisory rather than enforced, so an agent or downstream prompt can still directly alter memory files, bypassing the deterministic memctl.py path and potentially corrupting state, auditability, or policy controls.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill mandates use of a memory_search capability that is not actually declared, while permitting Read, Glob, and Grep over the same memory store. This creates a policy/implementation mismatch: agents cannot follow the intended safer retrieval path and will fall back to broad direct file access, increasing the chance of over-reading, misuse of sensitive memory, or inconsistent behavior.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill claims direct edits to WORKING.md/MEMORY.md are forbidden, but it still grants Edit and Write broadly and only emits advisory hooks instead of enforcing the restriction. This creates a policy-to-capability mismatch: an agent can bypass the deterministic memctl.py path, corrupt memory state, or inject arbitrary content into trusted state files.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
For a planning and memory-management skill, granting WebFetch, WebSearch, Bash, and default_api:exec is excessive and materially expands the attack surface. If the skill is invoked in a sensitive context, these capabilities enable external data exfiltration, unreviewed command execution, and unintended remote interaction that are not necessary for the stated purpose.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The installer changes a global OpenClaw agent setting unrelated to merely copying TriCore files into the workspace. This broadens the script's scope from local deployment to modifying host-wide agent behavior, which can affect other projects or sessions and is especially risky because the change is silent and not rolled back on failure.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The rollback message claims the system is restored to its pre-install state, but the script does not restore any OpenClaw configuration changed later in installation. This creates a misleading safety guarantee: users may believe the install is fully reverted while persistent global state remains modified.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The migration command goes beyond deterministic file maintenance and emits prescriptive instructions telling an agent to read archived content, semantically classify it, and rewrite it into other memory stores. In an agent skill context, that creates an unsafe prompt-injection surface where untrusted legacy content can steer downstream agent behavior and cause unintended data propagation or policy bypass.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The install flow describes automatically moving and replacing `MEMORY.md`, which is user data, without a prominent consent gate or warning. Even with archival backup, silent mutation of existing workspace state can cause data loss, confusion, or accidental destruction of operational context relied on by the agent or user.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill describes persistent writes to WORKING.md and long-term memory without any user notice, consent flow, retention limits, or guidance on handling sensitive data. In an agent environment, this can silently store secrets, personal data, or proprietary prompts and later expose them through retrieval or logs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The markdown normalizes subprocess execution of host-side commands through python3 tools/memctl.py without warning that the skill may trigger local command execution. Even if the specific commands are fixed, encouraging automatic command execution in a skill increases the risk of unsafe deployment assumptions and can lead to host-side side effects operators did not expect.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly describes persisting task content, intermediate reasoning, and knowledge into WORKING.md, memory/kb, and daily logs without any warning about retention, sensitivity, or user consent. In an agent context, user prompts often contain secrets, personal data, or proprietary information, so silently storing them to persistent memory increases the risk of privacy leakage and unintended future retrieval.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The example workflow performs subprocess-driven writes to local memory files and marks tasks complete, all based on user_query and generated observations, without warning that it modifies system state. In this skill context, the danger is elevated because the agent is encouraged to operationalize these commands as part of its normal reasoning loop, which can lead to persistent storage of sensitive or attacker-influenced content and unintended local state changes.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger condition for self-evolution is broad and underspecified, including scheduled and manual invocation without clear authorization boundaries. In this skill's context, activation leads to web research, code modification, and execution, so ambiguous triggering increases the chance of unintended self-modifying behavior on a live system.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly authorizes modifying code, editing skill logic, writing scripts, and then executing the modified artifacts, but it does not present a strong user-facing warning or approval gate for these system-impacting actions. Because the same workflow also pulls ideas from the external internet, this creates a dangerous self-modification pipeline that could introduce persistence, regressions, or supply-chain-style compromise.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly authorizes searching the internet, then modifying local code, skills, scripts, and configuration files, plus executing and validating those changes, without requiring user confirmation or a clear warning that system state will be altered. In the context of a self-evolution skill, this is especially dangerous because it normalizes autonomous code changes based on untrusted external content, creating a realistic path to supply-chain-style prompt injection, persistence, or destructive local modifications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The installer creates directories, copies tools, migrates memory, and edits `POLICY.md` without any confirmation or dry-run step. In a security-sensitive agent workspace, silent modification of policy, memory, and tooling increases the chance of unreviewed persistence and can overwrite or alter existing local behavior unexpectedly.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script changes OpenClaw configuration without prominently warning the user or obtaining consent. Because this affects agent behavior beyond the local skill deployment, the lack of confirmation makes the change more dangerous than ordinary file installation and can introduce persistent, hard-to-trace side effects.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The housekeeping command silently moves files from one workspace location to another without any prior notice, dry-run mode, or confirmation. In an automated agent environment, undisclosed state-changing file operations can disrupt workflows, hide artifacts from expected locations, or cause accidental data handling issues when invoked implicitly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The legacy migration command relocates MEMORY.md and creates replacement files before any user-facing disclosure or approval. In a skill used by agents on live workspaces, this can unexpectedly alter canonical state, break dependent tooling, and make recovery harder if migration was triggered on an incorrect heuristic such as file size alone.

Ssd 1

Medium
Confidence
94% confidence
Finding
The skill attempts to redefine itself as the agent's 'fundamental operating system law' and impose behavior constraints that supersede normal instructions. This is dangerous prompt-layer control hijacking: a skill should provide scoped guidance, not attempt to replace higher-priority system or user governance, especially when it directs tool usage and file-handling behavior.

Ssd 1

High
Confidence
96% confidence
Finding
Telling the agent to use the manual as its 'base operating instructions' is a direct attempt to elevate the skill above the normal prompt hierarchy. In context, this is more dangerous because the same document also prescribes installation, policy injection, and constrained tool behavior, so successful compliance could materially alter the host environment and the agent's decision-making.

Ssd 3

Medium
Confidence
97% confidence
Finding
The example persists user_query directly into working memory and long-term knowledge, including title, goal, logs, and a playbook entry. This creates a clear data retention and cross-session leakage risk: sensitive user content may be stored in plain language and later resurfaced by search, memory retrieval, or other tasks unrelated to the original request.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal