ClawHub

Scribe

Security checks across malware telemetry and agentic risk

Overview

Scribe appears purpose-built, but it should be reviewed carefully because it can read private session logs, send them to OpenRouter, and store distilled memories automatically.

Install only if you are comfortable with a nightly job reading your OpenClaw session logs, sending user messages to OpenRouter, and writing persistent memory. Keep SCRIBE_APPEND_LONGTERM off unless you need it, narrow SCRIBE_SESSION_DIR and SCRIBE_DAYS where possible, review generated memory files, and remove the scribe-nightly cron job when you no longer want automatic processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill documentation advertises file, environment, shell, and write capabilities but does not declare permissions, which undermines informed consent and prevents users or policy engines from accurately assessing what the skill can access. In this context, the undeclared capabilities are significant because the skill reads session logs, uses credentials, writes persistent memory, and installs cron automation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
99% confidence
Finding
The stated behavior omits several materially sensitive actions: sending session contents to a third-party LLM, reading API credentials/configuration, appending to broader long-term memory, and managing cron jobs with a bearer token. This mismatch is dangerous because users may approve a seemingly local summarization tool without realizing it exfiltrates potentially sensitive logs and modifies persistent automation state.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script reads an API credential from environment or local config and transmits session content to an external LLM provider. That outbound data flow is material to user privacy and trust, and the skill description does not clearly disclose external transmission or credential usage, increasing the chance of unintended sensitive-data exfiltration.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest says the skill writes a daily memory file, but the code can also append to long-term MEMORY.md when APPEND_LT is enabled. This mismatch can cause users to grant broader write access than they expect and can persist extracted content beyond the stated scope.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly describes nightly scanning of session logs and writing extracted decisions, preferences, and insights into persistent memory, but it does not clearly warn users about the privacy implications, retention behavior, or scope of collected data. In a memory-consolidation skill, this omission is risky because users may enable automated background collection without understanding that sensitive session content may be durably stored and later reused.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill says it sends user messages to an LLM via OpenRouter but does not present a prominent privacy warning explaining that session content leaves the local environment and may include sensitive information. Because this skill processes session logs by design, the absence of an explicit warning materially increases the risk of unintended disclosure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly instructs users to automate nightly scanning of session logs and writing extracted content into persistent memory files, but it provides no warning about privacy, consent, retention, or sensitive-data handling. This creates a real risk of unintentionally collecting and persisting secrets, personal data, or confidential project content from prior sessions into a long-lived artifact.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code sends collected user session text to an external API without any explicit user-facing warning, consent step, or visible redaction. Session logs often contain secrets, personal data, or proprietary context, so silent upload materially increases confidentiality risk.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The script accesses an API key from the environment or local OpenClaw config without clearly disclosing this credential use in the skill description. While reading a needed credential is not inherently malicious, undisclosed credential access is sensitive behavior and can violate least surprise and security review expectations.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill is designed to collect session content and persist extracted preferences, decisions, and insights into durable memory files, creating a secondary store of potentially sensitive behavioral and conversational data. This increases exposure if the files are accessed by other tools, retained longer than expected, or used as trusted context in future sessions without user review.

Ssd 3

Medium
Confidence
94% confidence
Finding
The example output shows storing verbatim user phrases and inferred behavioral preferences, which can encode sensitive personal traits, communication style, or high-confidence inferences that may be inaccurate but still reused as durable memory. In the context of an autonomous agent skill, this is more dangerous because persisted inferences can silently shape later agent behavior and expand the blast radius of a single sensitive session.

Ssd 3

Medium
Confidence
93% confidence
Finding
The prompt instructs the external model to extract and retain user decisions, preferences, directives, and project updates, which are then written into daily memory and potentially long-term memory. This creates intentional persistence of potentially sensitive user content and can amplify privacy harm if logs contain secrets or confidential plans.

Session Persistence

Medium
Category
Rogue Agent
Content
python3 skills/public/scribe/scripts/setup-cron.py
```

That's it. Scribe will run every night at 23:30 and write `memory/YYYY-MM-DD.md` to your workspace.

**3. Run manually anytime:**
```bash
Confidence
88% confidence
Finding
write `memory/YYYY-MM-DD.md` to your workspace. **3. Run manually anytime:** ```bash python3 skills/public/scribe/scripts/scribe.py ``` ## How It Works 1. Scans today's session JSONL files from `~/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal