ClawHub

Openclaw Memory Master

Security checks across malware telemetry and agentic risk

Overview

This appears to be a memory-management skill, but its package layout is incoherent and it handles sensitive memories with weak disclosure and controls.

Review before installing. Ask the publisher for a valid package layout, an explanation for the wallet and sensitive-credential capability tags, clear privacy documentation, configurable local-only operation, retention/deletion controls, and confirmation or archive behavior before any memory cleanup. Avoid storing secrets, wallet material, health details, or highly sensitive personal memories until those controls are clarified.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (22)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The file is named README.md but contains executable Node.js code rather than documentation. This is dangerous because users, reviewers, or automation may treat README content as trusted documentation and execute copied commands or embedded code without the scrutiny normally applied to source files, increasing the risk of social engineering and accidental execution.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
This redaction module records and returns the full original secret in the `detected` array via the `original` field, even though it presents itself as a sensitive-data filter. Any caller that logs, stores, serializes, or forwards the result can accidentally exfiltrate passwords, API keys, private keys, or database URLs, defeating the purpose of filtering and increasing downstream exposure.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file is documented as an in-memory hot store, but it restores from and persists to disk via index.json under persistPath. This mismatch can cause operators or downstream code to handle sensitive memory as ephemeral when it is actually retained locally, increasing unintended data exposure and compliance/privacy risk.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
destroy() claims to stop the timer, but startCleanupTimer() creates an interval without saving its handle, so the active cleanup loop continues running. This can keep the process alive, continue touching persisted data unexpectedly, and create resource leaks or behavior that callers believe has been shut down.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The code marks memories as compressed by setting `memory.compressed = true` without actually compressing data. This can mislead downstream logic into skipping real compression/decompression steps, causing integrity issues, storage planning mistakes, or failures when other components trust the flag and process data incorrectly.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The method documentation says it clears all layers, but the implementation only clears L0 and explicitly preserves L1/L2 data. This can cause callers to incorrectly assume sensitive or regulated data has been deleted when it still remains in warm/cold storage, creating a data retention and privacy risk.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
This file masquerades as tsconfig.json but contains executable Node.js code instead of JSON configuration. That mismatch is dangerous because developers, tools, or reviewers may trust the filename and overlook that it performs file system access, console output, and process termination when executed, creating a deceptive execution surface and increasing supply-chain/review risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The classifier forwards raw user content into an LLM request path without any consent, disclosure, or data-minimization control. If the LLM backend is external or remotely hosted, sensitive user text could be transmitted off-device or to a third party unexpectedly, creating a privacy and compliance risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly promotes automatic processing of memories across sensitive categories including personal, health, and finance, but provides no privacy notice, consent model, retention policy, or data handling safeguards. In a memory-management context, this omission can cause users to submit highly sensitive content under the assumption it is processed safely, increasing risk of privacy harm, policy violations, and accidental exposure.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation states the classifier falls back to LLM-based classification when confidence is low, but does not warn that memory content may be transmitted to an external provider or model endpoint. Because the system is designed to process memory data that may include personal, health, financial, or work content, silent external transmission materially raises confidentiality, compliance, and third-party data exposure risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The relation discovery feature describes a memory registry that retains historical memories and cross-correlates them to infer relationships, but does not warn users about retention or secondary analysis of past content. This creates privacy risk because cross-linking historical records can reveal sensitive patterns, associations, and inferred attributes beyond what users expect from a single-memory analysis workflow.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Raw memory files are aggregated and sent to the chat component for processing, which can expose sensitive personal or operational data to an external model service once the placeholder is replaced with a real API. In a memory-curation skill, the data being handled is likely highly sensitive, so transmitting it without explicit user consent, disclosure, or controls materially increases privacy and data-leak risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill automatically deletes old memory files from the raw memory directory based solely on filename-derived dates, with no confirmation, dry-run, backup, or safety guard. In a memory-management context, this can cause irreversible loss of user data, especially if retention settings are misconfigured or filenames are malformed but still parse as old dates.

Missing User Warnings

High
Confidence
76% confidence
Finding
The clear() method irreversibly wipes the entire in-memory graph and, when autoSave is enabled, persists the empty state to disk with no guardrails, authorization checks, backup, or recovery path. In an agent skill or tool context, a mistaken invocation, prompt injection through tool use, or misuse by an untrusted caller could cause total knowledge-base destruction and permanent data loss.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The component writes all stored memories to local disk automatically, but there is no explicit warning, consent flow, or prominent API signal that sensitive memory contents are persisted. In a memory-storage skill, this is especially risky because stored content may include secrets, personal data, or conversation history that users assume remains only in RAM.

Missing User Warnings

High
Confidence
86% confidence
Finding
The document proposes deep emotional inference, trigger analysis, and optional therapeutic suggestions over user memory data without any safeguards, consent model, or limits on sensitive psychological profiling. In an agent skill context, these features can lead to invasive inference, unsafe mental-health guidance, and mishandling of highly sensitive personal data.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The integration plugin design explicitly contemplates connecting memory data to third-party systems such as messaging, calendar, tasks, and email, but provides no controls for data minimization, user authorization, or transmission security. In a memory-management skill, this increases the risk of unintended disclosure of personal or sensitive stored information to external services.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill reads local memory files from disk under process.cwd()/memory, including MEMORY.md, daily/*.md, and wiki/*.md, then returns retrieved content based on user query. In an agent-skill context, this can expose locally stored sensitive data to prompts or downstream consumers without any access control, consent gating, path restrictions beyond a fixed subtree, or disclosure that local files are being mined.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises emotion analysis, trigger detection, therapeutic insights, and real-time monitoring over user memories, which strongly suggests processing of highly sensitive personal and psychological data. Presenting these capabilities without any visible privacy notice, consent flow, retention limits, or data-handling safeguards creates a real privacy and safety risk, especially if users store intimate conversations or mental-health-related content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code persists raw user-provided context, action, result, feedback, and optional skill linkage to local JSON files with no consent, minimization, redaction, or access controls. In an agent setting, these fields can contain prompts, secrets, file paths, API responses, or sensitive operational metadata, creating a privacy and data-exposure risk if the host is multi-user, backed up, or later exfiltrated.

Ssd 3

Medium
Confidence
95% confidence
Finding
The capture flow allows callers to set skipFilter=true, which bypasses sensitive-data filtering and writes raw user content directly into persistent memory files. In a memory-retention module, this creates a straightforward path for secrets, personal data, or regulated information to be stored long-term in plain language, increasing exposure through later reads, backups, logs, or compromise of the host.

Ssd 3

Medium
Confidence
93% confidence
Finding
This module is explicitly designed to persist raw natural-language content and user preferences to local files such as MEMORY.md and date-based markdown logs. Even with a filter step, the core design creates a durable data-retention channel that can capture sensitive information, making downstream disclosure, over-retention, and unintended reuse materially more likely.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal