ClawHub

local-tencentdb-agent-memory-flash

Security checks across malware telemetry and agentic risk

Overview

This is a coherent setup guide for a local OpenClaw memory plugin, but users should understand that it stores conversation memory and includes an optional patch script step.

Install this only if you want OpenClaw to remember and reuse conversation content over time. Keep the default local embedding mode unless you trust the remote provider, avoid storing secrets or regulated data in memory, and inspect or skip the optional patch script if you do not want it changing your local OpenClaw runtime.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs users to execute a local patch shell script from an installed extension directory without first requiring users to inspect the script, verify its provenance, or warning that it may modify local files and runtime behavior. This creates a real supply-chain and arbitrary code execution risk because package-installed scripts can change across versions and may perform privileged or unexpected system modifications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill promotes persistent conversation memory, local logging, and retention/cleanup behavior but does not clearly warn users that potentially sensitive conversation content will be stored on disk and retained over time. In a memory plugin context, that omission is security-relevant because users may unknowingly persist secrets, personal data, or regulated information in local databases and logs.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal