ClawHub

MindClaw

Security checks across malware telemetry and agentic risk

Overview

MindClaw is a coherent local memory tool, but it needs Review because it can persist broad conversation/file content and may store credential-like secrets despite attempting redaction.

Install only if you are comfortable with a local agent keeping durable searchable memory. Avoid using auto-capture or Markdown import on raw chats, logs, configs, or files that may contain tokens, passwords, personal data, or confidential business details. Review setup and MCP registration actions carefully because they change future agent tooling and can sync stored memory into OpenClaw MEMORY.md.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (25)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The credential rule comments claim the code will capture full-match context and not the secret, but the regex uses a capturing group for the secret value and sets extract_group=0 while later deduplication occurs before redaction. This mismatch increases the risk that maintainers misunderstand the data flow and that sensitive values are processed or compared in raw form, which can lead to accidental exposure in memory, logs, or downstream store/search layers.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly promotes one-command setup flows that register with external runtimes and modify local configuration and memory files, but it does not front-load a clear warning about those side effects before the command is presented. In an agent-skill context, users or agents may invoke setup assuming it is a harmless install step, causing silent persistence, tool registration, and workspace modification.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The one-shot setup_mindclaw tool is described as a convenient single call, but the documentation does not prominently warn that it both registers the tool and performs an initial sync. For agent-driven execution, bundling multiple persistent side effects into one tool increases the risk of unintended configuration changes and data propagation without informed user consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Commands like forget --hard and import --replace are destructive or replacing operations, yet the README lists them in a neutral command reference without strong irreversible-action warnings. In an agent environment, this can lead to accidental data loss when an LLM selects a command based on terse descriptions alone.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly promotes syncing structured memories back into local files and storing configuration on disk, but it does not clearly warn users that potentially sensitive conversation-derived data will be written persistently to `MEMORY.md` and `~/.mindclaw/config.json`. This is dangerous because users or agents may unknowingly persist secrets, personal data, or internal context into searchable local storage, increasing exposure through later reads, backups, or other tools.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The listed tools (`context_block`, `capture`, `import_markdown`) process conversation content and make it available for prompt injection and long-term memory, but the skill does not warn that imported or captured text may contain sensitive user information. This creates a privacy risk because conversation-derived data can be re-surfaced in future prompts or searches outside the original context in which it was provided.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The manifest advertises syncing to MEMORY.md and importing daily logs without clearly warning that the tool reads from and writes to persistent files. In an agent context, unclear disclosure around file modification can lead to unintended data propagation, overwrites, or exposure of sensitive memory contents across workflows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The forget command supports hard deletion but the manifest provides no warning, safeguard, or confirmation note. In agent-driven environments, destructive commands without explicit friction increase the risk of irreversible data loss from mistaken invocation or prompt-induced misuse.

Missing User Warnings

Low
Confidence
79% confidence
Finding
Automatic consolidation changes stored memories and may merge semantically similar records incorrectly if invoked with an aggressive threshold. Without warning users that content can be altered, the tool increases the chance of silent corruption or loss of fidelity in persisted knowledge.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The decay command can archive stale memories in bulk, but the manifest does not indicate that this may modify a large portion of stored data. In an automated agent setting, a bulk archival operation without warnings or review can unexpectedly hide or remove information from future retrieval flows.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The auto-capture engine persists user conversation content to a memory store by default, with no consent, notice, or policy gate in this code path. In an agent setting, that creates a privacy and data-retention risk because users may provide sensitive facts, preferences, or operational details that are silently stored and later retrievable.

Missing User Warnings

High
Confidence
95% confidence
Finding
This code explicitly detects credential-related text and processes it through the capture pipeline without any warning or user consent flow. Although redaction is attempted before storage, the system still inspects and handles secrets, and because duplicate checking uses unredacted content first, plaintext secret material may reach store.search_text or related components, increasing exposure risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The capture tool explicitly advertises automatic detection of credentials and then persists extracted memories unless dry_run is set, but there is no visible warning, consent gate, or safeguard in this interface. In an agent setting, users may pass logs, chats, or configs containing secrets, leading to unintentional long-term storage of API keys, passwords, or tokens in the memory database and downstream sync targets.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The search engine sends user queries and stored memory content to an Ollama HTTP service for embedding generation without any explicit consent, warning, or data-classification guard. Even if intended for localhost, this can expose sensitive prompts, secrets, or private memory data to another process or to a misconfigured/non-local endpoint if base_url is changed.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
This method writes potentially sensitive memory contents into an arbitrary Markdown file path and can also modify an existing MEMORY.md in place. In an agent setting, persistent memories may contain user secrets, prompts, or workspace-derived data, so exporting them without an explicit consent/confirmation boundary can cause unintended data exposure or file modification in the user's workspace.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This importer reads arbitrary Markdown content and persists bullet-point text into the long-lived memory database, which can silently capture sensitive user notes, credentials, or private workspace data. In an agent skill context, automatic ingestion from user files increases privacy risk because users may not realize local documents are being transformed into durable agent memory.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This function auto-detects an OpenClaw workspace path and updates MEMORY.md, causing a direct write into user workspace files without any in-function disclosure or confirmation control. In an agent environment, silent modification of user-managed files is risky because it can leak persisted memory into shared repositories or alter files the user did not intend the agent to touch.

Ssd 3

Medium
Confidence
86% confidence
Finding
The tagline and introductory workflow encourage comprehensive retention of conversational and user-provided information, framing persistence as a default good. In a memory tool for AI agents, this increases the chance that sensitive, unnecessary, or regulated data will be stored and later resurfaced into prompts or shared memory contexts.

Ssd 3

Medium
Confidence
95% confidence
Finding
The recommended agent loop explicitly tells agents to remember content, capture conversation logs, and sync them into persistent/shared memory. This creates a concrete pattern for bulk retention and cross-context reuse of user content, which is especially risky because agent operators may follow the loop verbatim without adding consent checks, sensitivity filtering, or minimization.

Ssd 3

Medium
Confidence
89% confidence
Finding
The core value proposition is persistent retention of agent knowledge and synchronization into broader memory stores, which encourages wide collection and propagation of user-provided information. In a memory-management skill this behavior is contextually expected, but it is still dangerous without strong limits because it can normalize retaining everything, including secrets, personal data, or confidential operational details.

Ssd 3

Medium
Confidence
95% confidence
Finding
The recommended loop instructs agents to extract memories from conversations, store them, and sync them into OpenClaw's `MEMORY.md`, effectively broadening visibility across tools. This increases the chance that sensitive conversational content will be persisted and later disclosed to unrelated tasks, prompts, or operators, especially because the workflow is presented as standard practice rather than a guarded, consent-based action.

Ssd 3

Medium
Confidence
88% confidence
Finding
The description explicitly promotes indefinite retention of information and integration with logs and shared memory files. In a memory skill, this creates real privacy and data-minimization risk because agents may persist sensitive user or operational data far beyond necessity, increasing exposure if the store is queried, exported, synced, or compromised.

Ssd 3

Medium
Confidence
92% confidence
Finding
The capture capability is designed to automatically extract decisions, errors, preferences, and TODOs from arbitrary text into persistent memory. That is risky in an agent setting because free-form text often contains sensitive, irrelevant, or adversarially planted content that may be stored and later resurfaced into model context.

Ssd 3

Medium
Confidence
89% confidence
Finding
The markdown sync/import features encourage broad ingestion from memory files and daily logs, then re-exposure through a shared MEMORY.md bridge. In context, this is more dangerous because the tool is explicitly a persistent memory system for agents, so imported sensitive content can be amplified across search, export, and prompt-building features.

Ssd 3

Medium
Confidence
90% confidence
Finding
process_conversation automatically iterates over messages and stores extracted facts, preferences, decisions, todos, and URLs into long-term memory. In the context of an agent skill, that broad natural-language retention increases the chance of collecting sensitive personal, business, or security-relevant information that can later leak through retrieval, debugging, or compromise of the store.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal