ClawHub

Memory Dreaming (Safe Edition)

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate memory-maintenance purpose, but its automatic cron instructions can read private agent history and modify persistent memory or vault files without the confirmation promised in the main documentation.

Review this carefully before installing. It is not showing evidence of exfiltration or destructive intent, but enabling it means a scheduled agent may mine session transcripts, scan broad workspace areas, and write long-term memory or Obsidian notes. Only use it if you are comfortable with that scope, and prefer disabling transcript scanning, limiting plan search paths, keeping Obsidian sync off until reviewed, and requiring an explicit preview/approval step before any persistent writes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The prompt explicitly instructs the agent to access session data under ~/.openclaw/agents/main/sessions and extract user corrections, decisions, and preferences. Even though it tries to limit reads to matched lines, this is still cross-context ingestion of sensitive transcript data beyond the core memory files, and it meaningfully increases privacy exposure and the chance of consolidating sensitive content into durable memory.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The prompt performs broad discovery across ~/.openclaw/workspace to find task_plan.md files, which can sweep unrelated projects and expose metadata from areas not obviously part of this skill's intended scope. In a memory-maintenance skill, this kind of workspace-wide enumeration creates unnecessary data access and increases the blast radius of accidental collection.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The phrase "Dream now" is highly ambiguous and can be matched accidentally in casual conversation, making unintended activation more likely. In this skill, activation initiates analysis over stored memories and may lead toward external sync proposals, so accidental triggering increases privacy and scope-risk even if writes still require confirmation.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The phrase "Dream now" is highly ambiguous and can be matched accidentally in casual conversation, making unintended activation more likely. In this skill, activation initiates analysis over stored memories and may lead toward external sync proposals, so accidental triggering increases privacy and scope-risk even if writes still require confirmation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The instructions direct automatic edits to MEMORY.md and related state files without any user-facing notice, confirmation, or dry-run option. Silent mutation of long-term memory can persist mistakes, overwrite prior context, and create hard-to-audit changes in a sensitive user data store.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill description does not warn that it mines session transcripts for user facts, decisions, and preferences, despite the prompt clearly directing that behavior. This lack of transparency is dangerous because users may invoke the skill expecting maintenance of existing memory artifacts, not extraction of additional personal data from broader conversation history.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The prompt instructs the agent to create and update notes in an external Obsidian vault, including plans, people, projects, and tools, without a prominent warning or confirmation step. Writing consolidated user data into an external knowledge base broadens exposure, may leak sensitive information into synced systems, and can be difficult to reverse once propagated.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document describes automatic creation and updating of files in an Obsidian vault, including scanning the workspace for `task_plan.md` files and syncing them into human-facing notes, but it does not prominently warn that this behavior modifies user files outside the immediate consolidation output. In this skill context, that is risky because the vault is presented as a source of truth and may contain manually curated notes; silent or implicit writes can lead to unintended data propagation, privacy leakage, or user surprise, especially when any plan anywhere in the workspace is auto-imported.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal