ClawHub

Karpathy LLM Memory Wiki

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent OpenClaw knowledge-wiki tool with disclosed local memory changes and optional automation, not evidence of malicious behavior.

Install this only if you want OpenClaw to maintain a persistent local knowledge wiki. Start with basic setup, review sources before ingestion, avoid queuing sensitive or untrusted URLs, and enable --with-cron or --with-sync only if you are comfortable with scheduled autonomous runs or cloud visibility of the wiki index. Back up memory/wiki and work/wiki-sources before lint-heavy maintenance or uninstalling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script performs actions beyond simple wiki scaffolding by optionally creating scheduled OpenClaw cron jobs and editing another integration script via sed. Even though these behaviors are opt-in, they expand the skill's operational scope into persistence and cross-component modification, which increases risk because running setup can silently establish recurring agent activity and alter unrelated automation in the workspace.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The uninstall section instructs users to run a recursive deletion command that permanently removes wiki data and source material, but it does not prominently warn about irreversible data loss or recommend verification/backups first. In a documentation-driven agent workflow, users may copy-paste commands verbatim, making accidental destruction of accumulated knowledge more likely.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly instructs the agent to create and modify multiple repository files (`memory/wiki/*`, `work/wiki-sources/ingestion-queue.md`, and logs/indexes) as part of normal execution, but it provides no user-consent checkpoint, dry-run mode, or scoping guard beyond a reference to exclusion zones in another file. In an agent setting, this can lead to unintended persistent changes, propagation of untrusted source content into durable memory, and broad repository mutation from a single invocation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to modify and delete wiki state automatically by trimming logs, changing page status, archiving pages, and updating the index without any explicit user approval or safety gate. In an agent context, these are destructive maintenance actions that can cause silent data loss, incorrect archival, or corruption of knowledge state if the lint pass misclassifies pages or encounters adversarial content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The schema explicitly instructs the agent to fetch remote URLs and to create or modify multiple persistent files (`memory/wiki/*`, logs, and queue state) without any requirement for user confirmation, trust checks, or runtime disclosure. In an agent environment, this creates a real risk of unapproved network access and silent state changes, especially if a prompt or source document causes the ingest/query workflow to run automatically.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal