ClawHub

Supermemory Free

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it can automatically upload local session-memory content to Supermemory.ai and persist that behavior with cron, so users should review it carefully before installing.

Install only if you are comfortable sending selected OpenClaw memory-log content and search queries to Supermemory.ai. Start with auto_capture.py --dry-run, avoid storing secrets or secret locations, and do not enable the cron job in sensitive workspaces unless you have reviewed the exact data it will upload and know how to remove it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (25)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises powerful capabilities including environment access, file read/write, network access, and shell execution, but does not declare permissions or boundaries. This reduces transparency and makes it easier for a user or host system to invoke data-accessing or persistence behaviors without informed approval, especially given the documented cloud upload and cron features.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose suggests simple cloud backup/retrieval, but the skill also performs local log scanning, heuristic extraction of content, state tracking, and scheduled automation via cron. That mismatch hides materially different data collection and persistence behavior, increasing the risk of silent exfiltration of sensitive session content to a third-party service.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The README advertises an automatic daily cron job that extracts 'high-value insights' from OpenClaw session logs and sends them to a third-party cloud service, which materially expands the skill from manual backup/search into unattended exfiltration of session-derived data. In an agent context, session logs can contain prompts, secrets, personal data, or proprietary information, so automating this behavior without strict scoping, consent, and sanitization creates a meaningful confidentiality risk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest description omits auto-capture and cron-management features that materially change the skill's behavior from on-demand storage to automated collection and persistence. In a security context, omitted capabilities are dangerous because users and orchestrators cannot accurately assess what data may be read, retained, or transmitted.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Installing or removing cron jobs introduces persistence on the host and expands the blast radius beyond simple backup/retrieval. Persistence mechanisms are security-sensitive because they enable unattended recurring execution that may continue uploading data long after the original user interaction.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script introduces a persistent scheduled auto-capture mechanism that is not clearly disclosed by the skill’s stated purpose of cloud backup/retrieval. Persistence increases the risk of unexpected recurring data collection and exfiltration, especially in a skill that handles knowledge backup to a remote service.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Managing the user’s crontab is a persistence mechanism that goes beyond simple backup/retrieval and creates ongoing execution on the host. In the context of a cloud-connected skill, this broadens the attack surface by allowing recurring remote data transfer without requiring future user action.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README describes cloud backup plus automated extraction from session logs but does not prominently warn users that session-derived content may be transmitted to Supermemory.ai. Because users may reasonably expect a memory skill to handle only explicitly provided knowledge, the missing disclosure increases the chance of unintentionally exporting sensitive conversations, credentials, or business data to a third-party service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The auto-capture workflow scans memory logs for fixes, errors, configuration paths, preferences, decisions, and other potentially sensitive content, then uploads selected items to a third-party cloud service without an explicit warning or consent boundary. This creates a realistic risk of exposing confidential project data, personal preferences, operational details, or secrets-adjacent information.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The documentation tells users to set an API key but does not warn them to protect credentials or avoid storing secrets in uploaded memory. While not direct secret leakage by itself, poor guidance around credential handling and cloud memory content increases the likelihood of accidental exposure.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The tool manifest explicitly says it will scan recent session memory logs and upload 'high-value insights' to a third-party cloud service, but it does not define exclusion rules, consent requirements, or sensitivity boundaries. Because session logs can contain secrets, personal data, internal prompts, or confidential user content, this broad automatic exfiltration behavior creates a real risk of unintended data disclosure.

Vague Triggers

Medium
Confidence
87% confidence
Finding
A scheduled cron job that performs background uploads every day at 2:00 AM UTC is dangerous when the manifest does not specify clear conditions, user approval, or disablement safeguards. Silent recurring transmission to an external API can persistently leak newly created sensitive data without the user's awareness, making the risk ongoing rather than one-time.

Natural-Language Policy Violations

Low
Confidence
72% confidence
Finding
The manifest advertises cloud backup and auto-capture behavior but does not indicate user opt-in, transparency language, or approval boundaries for sending local knowledge to a remote service. In this context, the omission materially increases privacy and confidentiality risk because users may install a memory utility without realizing it can automatically export session-derived data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script is explicitly designed to scan local session-memory logs and upload selected content to a third-party cloud service, but it does not provide an execution-time warning, consent gate, or data-classification review before transmitting potentially sensitive user information. Because the captured data includes preferences, decisions, config paths, API-related strings, and error context, this creates a real privacy and data-exfiltration risk even if the feature is intentional.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file is designed for unattended cron execution and will automatically upload extracted memory content without interactive confirmation at runtime. In context, that makes accidental ongoing exfiltration of sensitive session history more likely because users may not realize uploads are happening repeatedly in the background.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The installer modifies the user's crontab immediately, without any confirmation prompt, dry-run gate, or explicit warning that a persistent system change is being made. This can cause users to unknowingly enable recurring execution and data transfer, which is especially sensitive for a cloud-uploading skill.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script sends the user's raw search query to a third-party cloud API, and the tool output/usage text does not clearly warn that potentially sensitive prompts will leave the local environment. In a memory or knowledge-retrieval skill, users may search for secrets, internal notes, or personal data, making unintended disclosure plausible.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The tool uploads arbitrary user-provided content to a third-party cloud service without a runtime warning, confirmation, or sensitivity check. In this skill context, users may paste operational knowledge, file paths, secrets, or internal notes, so silent off-system transmission materially increases confidentiality risk.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The script accesses an API credential from environment variables or .env files without any user-facing notice during execution. While this is not credential theft by itself, silent credential use reduces transparency and can surprise users in shared or agent-driven environments.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill explicitly automates uploading user/session memory and preferences to an external cloud service, but does not define sensitivity limits, approval checkpoints, or exclusion rules. Because memory logs often contain private user data, internal system details, and troubleshooting artifacts, this behavior can become a covert data exfiltration channel even if framed as convenience.

Ssd 3

Medium
Confidence
93% confidence
Finding
Encouraging permanent cloud retention of anything a user asks the agent to 'remember' creates a natural-language path for storing sensitive information externally. Users may phrase secrets, personal data, or confidential project details as memories, and the skill normalizes long-term third-party retention without adequate warning or policy constraints.

Ssd 3

High
Confidence
99% confidence
Finding
The script’s stated purpose is to analyze recent session memory logs and push 'high-value insights' to Supermemory cloud backup. In a memory/logging context, this is especially dangerous because those logs can contain sensitive operational details, user preferences, incident notes, internal paths, and potentially secrets, so the skill context increases the severity rather than reducing it.

Ssd 3

High
Confidence
99% confidence
Finding
The heuristics intentionally target exactly the kinds of information that are often sensitive in agent memory: fixes, errors, configuration paths, API endpoints, user preferences, decisions, learned facts, setup details, and mentions of API keys. Although some skip rules exist, they are superficial and pattern-based, so many secrets or private context fragments could still be selected and uploaded.

Ssd 3

High
Confidence
99% confidence
Finding
This code serializes extracted memory insights into JSON and sends them to an external API using a bearer token, creating a direct data-exfiltration path from local memory logs to a third-party service. The danger is heightened because the upload content is raw text snippets chosen from session history, and the code does not enforce strong sanitization, minimization, or user approval before transmission.

Ssd 3

Medium
Confidence
97% confidence
Finding
The usage examples explicitly encourage storing sensitive secret-location information such as 'DB_PASSWORD is in /etc/secrets/db.env' in a cloud knowledge service. This normalizes unsafe behavior and makes accidental exfiltration of sensitive configuration and secret references more likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal