ClawHub

Smart Agent Memory

Security checks across malware telemetry and agentic risk

Overview

This is a real local memory tool, but its setup can modify every OpenClaw workspace it finds and persist mandatory memory-capture instructions.

Install only if you want durable local agent memory and are comfortable reviewing its workspace changes. Before running setup, inspect the BOOTSTRAP text and understand it may modify every ~/.openclaw/workspace* workspace. Avoid storing secrets, credentials, regulated data, or private personal details, and manually review any skill generated by the extract command before enabling it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (18)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documented storage scope is ~/.openclaw/workspace/memory, but setup expands its reach by discovering all ~/.openclaw/workspace* directories and injecting BOOTSTRAP.md into each. This discrepancy can lead users and policy systems to underestimate where the skill writes, enabling unexpected persistence and propagation across workspaces.

Scope Creep

High
Confidence
98% confidence
Finding
The manifest permissions only cover ~/.openclaw/workspace/memory, yet the setup procedure documents modifications to BOOTSTRAP.md files in multiple workspace directories outside that path. Writing outside declared permissions undermines least privilege and creates a path for persistent behavioral changes in other agent environments without accurate disclosure.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The qmd code path ignores the provided dir argument and runs `qmd query` without constraining the search root, so results may be sourced from whatever default index or working directory qmd uses rather than the intended memory directory. In a long-term memory skill, this can cause cross-project or out-of-scope data exposure, returning unrelated or sensitive content that the caller did not intend to search.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The `setup` command modifies `BOOTSTRAP.md` across discovered workspaces and injects instructions that force `session-start` before any work and `session-end` summary capture. This goes well beyond a passive memory CLI into persistent workspace behavior modification, creating an unauthorized control/persistence mechanism that can alter agent behavior across projects.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The `extract` command turns stored lessons into new skills under `~/.openclaw/skills`, which is a capability expansion from memory storage into code/artifact generation. In an agent ecosystem, writing new skills can become a persistence or privilege-expansion vector, especially if lessons contain attacker-influenced content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to run a setup command that automatically discovers workspace directories and injects a BOOTSTRAP.md file, but it does not clearly warn that user files or workspace contents will be modified. In a security-sensitive agent environment, silent or under-disclosed file injection increases the risk of unintended persistence, trust-boundary violations, and accidental modification of multiple workspaces.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup instructions normalize automatic BOOTSTRAP.md injection into all discovered workspaces without a prominent warning that files will be modified. This reduces informed consent and increases the chance of stealthy persistence-like changes to agent behavior across environments the user may not intend to alter.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill encourages frequent automatic memory writes during conversations and tool use, but does not pair that with privacy, retention, or sensitivity guidance. In practice, this can cause secrets, personal data, and confidential user prompts to be persistently stored and later resurfaced across sessions or agents.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code persists arbitrary memory content not only in SQLite but also into daily Markdown logs and per-skill Markdown files, substantially widening the exposure surface for potentially sensitive data. In an agent long-term memory system, stored content may include prompts, secrets, personal data, or operational context, and duplicating it into human-readable files increases the chance of unintended disclosure via backups, source control, local file browsing, or other tools that scan the workspace.

Missing User Warnings

Low
Confidence
79% confidence
Finding
Lesson records are written as plaintext Markdown files containing context, outcome, and insight, which may capture sensitive operational details or user data. Because this skill is specifically a cross-platform agent memory system designed for long-term retention, exporting those records to readable files without explicit consent or safeguards creates a real confidentiality risk beyond the database itself.

Missing User Warnings

Low
Confidence
76% confidence
Finding
Entity metadata is rendered into Markdown files using names and attributes that may contain personal, organizational, or decision-related information. In this memory-management context, those entity pages are likely to aggregate sensitive facts in a predictable location, increasing discoverability and accidental leakage through indexing, syncing, or repository inclusion.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The lesson and entity helpers persist raw user/context data into Markdown files under predictable locations without any sanitization, minimization, or policy guardrails. In a long-term memory skill, this increases privacy and prompt-injection risk because sensitive or attacker-controlled text may later be re-ingested by humans or agents from those files, creating unintended data retention and trust-boundary issues.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code writes to `BOOTSTRAP.md` in multiple workspaces without prompting, previewing changes, or requiring confirmation. Silent modification of workspace bootstrap files is risky because it creates persistent behavior changes and can surprise users or downstream agents that trust those files.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The embedded bootstrap text imposes mandatory behavior ('before doing anything', 'not optional') and hardcodes Chinese-language operational instructions into every targeted workspace. This is dangerous because it attempts to steer agent behavior through coercive persistent instructions rather than transparent, user-approved configuration.

Ssd 3

Medium
Confidence
94% confidence
Finding
The instructions normalize broad retention of conversation content into long-lived memory without sensitivity screening or minimization. That makes the memory store a durable aggregation point for potentially sensitive user inputs, increasing exposure through later searches, sharing across agents, or compromise of the workspace.

Ssd 3

Medium
Confidence
92% confidence
Finding
The scheduled session-check explicitly tells the agent to review the day's conversations and persist summaries when facts have not grown. This encourages retrospective collection and storage of prior user inputs that may have been shared only for transient task completion, expanding retention without user awareness.

Ssd 3

Medium
Confidence
94% confidence
Finding
The injected instructions explicitly direct automatic capture of session information and end-of-session summaries across workspaces. In a memory skill, this increases the chance of over-collection of sensitive project data, credentials, or private context without granular consent or data minimization.

Ssd 4

Medium
Confidence
92% confidence
Finding
The setup flow establishes a persistent instruction chain that tells agents to obey memory bootstrap steps before any other work, then funnels session data into storage. This creates a trust/obedience anchor that can influence future agent behavior and normalize broad data capture across environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal