ClawHub

Fractal Memory

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate memory organizer, but it needs review because it persistently stores chat-derived data, runs scheduled background rollups, and sends daily logs to an LLM by default.

Review before installing. Use it only if you are comfortable with persistent workspace memory, scheduled background changes, and daily diary content being sent to the configured OpenClaw LLM backend. Remove or review the `update_now.py` cron command, disable LLM rollup or switch to local-only processing if needed, avoid storing secrets or sensitive personal data, and keep backups plus a clear way to disable cron jobs and delete stored memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (20)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        # Call OpenClaw's LLM via subprocess
        result = subprocess.run(
            ['openclaw', 'ask', '--model', LLM_MODEL, '--'],
            input=prompt,
            capture_output=True,
Confidence
93% confidence
Finding
result = subprocess.run( ['openclaw', 'ask', '--model', LLM_MODEL, '--'], input=prompt, capture_output=True, text=True, timeout=30

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill directs users to read and write files and run shell commands/scripts, but it does not declare permissions or clearly constrain those capabilities. This creates a transparency and consent problem: users may install a skill that persists conversation-derived data and executes local commands without an explicit capability declaration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is memory compression, but the skill behavior as described by the analyzer includes integrity monitoring, tamper/anomaly detection, and external LLM subprocess invocation that are not clearly disclosed in the main description. Hidden or under-disclosed behavior increases the risk of unexpected data exposure, surveillance-like monitoring of local files, and sending sensitive memory contents to an external model service.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The cron example embeds a free-form shell command chain inside an agentTurn message, which gives the scheduled agent a general command-execution path rather than a narrowly scoped memory-rollup action. Even if intended for maintenance, this increases risk because any later prompt injection, message modification, or copy-paste reuse could turn the cron job into an arbitrary command runner operating on the local workspace.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The weekly cron job repeats the same unsafe pattern by instructing the agent to execute shell commands through natural-language task text. This broadens the operational capability from memory compression to general local command execution, which is dangerous in an agent context because scheduled autonomous actions may run without contemporaneous user review.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The monthly cron example also relies on a shell command embedded in an agent message, preserving a general execution surface in an autonomous scheduled workflow. Because this job updates a high-value persistent memory artifact, compromise or misuse could silently corrupt long-term agent state or be repurposed to run unrelated commands.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill is described as a memory compression utility, but this script forwards raw diary entries to an LLM subprocess, which is a materially broader capability than local file rollup. In a memory system, diary files are especially likely to contain personal, strategic, or credential-adjacent data, so undisclosed external processing increases the danger.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation text is broad enough to trigger on common requests about memory, context, or persistence, which can cause the skill to activate outside a narrowly intended scope. In this skill's context, over-broad activation is risky because activation can lead to persistent storage, file modification, and automation setup for conversation-derived data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup instructions tell users to create directories, copy scripts, and install cron jobs, but they do not foreground that the system will continuously persist and mutate conversation-derived data on disk over time. This can lead to users enabling long-lived collection and automated processing of sensitive information without informed consent or retention controls.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly instructs immediate and automated writes to persistent memory files and scheduled rollups, but it does not require user consent, visibility, or warnings about persistence. In a memory-management skill, this creates a real privacy and safety risk because normal conversation content may be stored and transformed automatically without the user's informed approval.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The guide instructs users to automate scripts that rewrite summaries and distill content into persistent memory files, but it does not clearly warn that these actions modify long-lived user data and may be lossy or irreversible. In a memory-management skill, that omission is significant because users may enable unattended jobs without understanding the persistence, overwrite, and corruption risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide instructs users to move existing memory files with `mv` during migration, which directly modifies the current data layout and can cause accidental data loss, broken tooling, or rollback difficulty if run without backups or validation. In a memory-management skill, users are especially likely to apply these commands to valuable long-term context, so the lack of an explicit warning and safer migration steps increases operational risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Raw diary content is sent to an external LLM path without an in-context warning, consent gate, or disclosure of where the data may go. Users may reasonably assume a local rollup job is only reorganizing local files, so this hidden transmission can lead to inadvertent exposure of sensitive information.

Ssd 3

Medium
Confidence
96% confidence
Finding
The instruction to 'write everything immediately' encourages indiscriminate logging of conversation content into persistent memory files. This is dangerous because chats often contain secrets, personal data, credentials, and other sensitive material that should not be stored by default, especially when later reused and summarized automatically.

Ssd 3

Medium
Confidence
90% confidence
Finding
The session startup instructions direct the agent to load USER.md, daily memory, and possibly MEMORY.md by default, promoting broad reuse of previously stored context. This increases the chance that stale, irrelevant, or sensitive personal information is injected into future sessions without a fresh need-to-know justification.

Ssd 3

Medium
Confidence
96% confidence
Finding
The instruction to write conversation content to persistent daily memory immediately creates a direct data retention risk, especially because conversations can contain secrets, personal data, credentials, or other sensitive operational details. In this skill's context, the danger is elevated because the whole architecture is designed to preserve and propagate that content into longer-lived summaries.

Ssd 3

Medium
Confidence
95% confidence
Finding
The principle 'Write Everything Immediately' promotes indiscriminate retention, which is unsafe because it discourages filtering and increases the likelihood that sensitive user inputs are stored permanently. This is especially risky in an agent memory system where retained data may later be reloaded into prompts, exposed to other tools, or leaked through summaries.

Ssd 3

Medium
Confidence
91% confidence
Finding
The timeless-facts mechanism encourages long-term storage of recurring preferences, facts, and workflows, which can accumulate detailed user profiles over time. Even if intended for convenience, this raises privacy and misuse risks because persistent preference data can reveal behavior patterns, sensitive traits, or operational details long after the original context is gone.

Ssd 3

Medium
Confidence
94% confidence
Finding
The prompt explicitly asks the model to preserve key details, decisions, and follow-ups from diary entries, which increases the chance that sensitive personal or operational information will be copied into longer-lived summary files. This broadens exposure because details from ephemeral daily notes become concentrated and easier to retrieve from weekly memory artifacts.

Session Persistence

Medium
Category
Rogue Agent
Content
### 1. Set Up Directory Structure

```bash
mkdir -p memory/diary/{2026/{daily,weekly,monthly},sticky-notes/{workflows,apis,commands,facts}}
```

### 2. Initialize State Files
Confidence
88% confidence
Finding
mkdir -p memory/diary/{2026/{daily,weekly,monthly},sticky-notes/{workflows,apis,commands,facts}} ``` ### 2. Initialize State Files Copy templates from `assets/`: ```bash cp assets/rollup-state.json

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal