ClawHub

GitHub Memory Sync

Security checks across malware telemetry and agentic risk

Overview

This is a real GitHub backup skill, but it can upload highly sensitive OpenClaw memory and configuration files with weak guardrails and a risky cron default.

Install only if you intentionally want OpenClaw identity, memory, tool configuration, skills, and related workspace files backed up to GitHub. Use a private repository that you own, set GITHUB_REPO explicitly, remove or change the davinwang/openclaw-memory cron default, use a fine-grained token limited to that one repo, avoid placing the token in ~/.bashrc or inline cron entries, review the exact files before pushing, and keep a local backup before any restore.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes generic phrases such as “同步配置”, “恢复备份”, and “检查同步状态”, which are common operational requests not uniquely tied to GitHub backup of workspace memory. In an agent environment, this can cause the skill to activate on unrelated user intents and perform or prepare high-risk backup/restore actions involving sensitive files.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest description advertises activation on broad phrases like “sync memory” and “migrate server,” which are ambiguous and likely to overlap with many benign administrative requests. Because this skill handles highly sensitive workspace files and credentials, accidental invocation increases the chance of unintended disclosure, overwrite, or destructive restore behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The push flow uploads the workspace, including memory, identity, tools, skills, avatars, and agent configuration files, to a remote GitHub repository without any explicit confirmation, preview, or warning about the sensitivity of the data being transmitted. In this skill’s context, these files likely contain secrets, personal data, prompts, and operational configuration, so silent exfiltration to a third-party service is materially dangerous.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The pull flow copies repository contents back into the local workspace and can overwrite trusted local configuration and memory files without prompting, backup, or conflict handling. Because this workspace includes agent identity, memory, tools, and skills, a remote repository compromise or operator mistake could replace local state with malicious or destructive content.

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
# 编辑 crontab
crontab -e

# 添加定时任务(每天凌晨 2:30)
30 2 * * * cd /root/.openclaw/workspace/skills/github-memory-sync && \
Confidence
91% confidence
Finding
crontab -e

YARA rule 'backdoor_persistence': Backdoor persistence with malicious payloads (shell commands, SSH key injection, hidden root users) [malware]

High
Category
YARA Match
Content
**版本**: 1.1.0  
**作者**: OpenClaw Workspace  
**许可**: MIT
Confidence
87% confidence
Finding
crontab -l 2>/dev/null; echo "30 2 * * * /root/.openclaw/workspace/skills/github-memory-sync; echo 'export GITHUBTOKEN="github_pat_xxx"' >> ~/.bashrc; echo 'export GITHUB_REPO="davinwang/openclaw-memo

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal