ClawHub

Memory Consolidate

Security checks across malware telemetry and agentic risk

Overview

This memory-consolidation skill appears useful, but it has review-worthy privacy and persistence risks because it can persist user profile data, run automatically, modify agent context behavior, and send memory contents to a remote LLM provider.

Install only if you intentionally want automatic long-term memory consolidation. Before enabling it, confirm whether remote LLM processing is on by default, what memory text is sent off-device, where snapshots and user_traits are stored, how cron/config changes are installed, and how to disable or delete retained memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes shell commands, reads and writes workspace files, accesses environment/config data, and uses a networked LLM provider, yet it declares no permissions. That gap prevents operators from understanding or constraining what the skill can do, which is especially risky because it is configured to run automatically via cron and to modify agent bootstrap behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose understates the actual behavior: the skill performs outbound LLM calls, reads local identity and API configuration, orchestrates subprocesses, writes many additional artifacts, and alters session injection/configuration. This mismatch can mislead users into granting trust to a 'memory' utility while it handles sensitive data and expands persistence and automation, increasing the chance of unintended data exposure or unauthorized operational changes.

Context-Inappropriate Capability

Medium
Confidence
70% confidence
Finding
This skill is supposed to perform memory consolidation, but it does so by launching external Python scripts from the workspace at runtime. That creates a broader code-execution primitive than necessary: if an attacker can tamper with those script files or the workspace contents, the pipeline will execute arbitrary code with the agent's privileges.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This code transmits memory candidate content to an external Anthropic-compatible API, which can include sensitive session-derived facts, decisions, and user information. In a memory-consolidation skill, exporting persistent memory contents off-host materially increases confidentiality risk and expands the trust boundary beyond what a local memory feature would normally imply.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The skill reads API configuration from both environment variables and ~/.openclaw/openclaw.json, giving it access to broader host secrets than are necessary for simple local memory processing. Even though the code does not exfiltrate the key directly, this secret access combined with outbound network capability increases the blast radius if the skill is modified, misconfigured, or reused in an unexpected context.

Ssd 3

Medium
Confidence
93% confidence
Finding
The prompt and response parser are designed to preserve high-signal user information and optionally emit user_traits into persistent output, which can create long-lived profiling data. Persisting inferred traits and sensitive personal context raises privacy and misuse risks, especially because these memory snapshots are injected into future sessions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal