ClawHub

Metaclaw

Security checks across malware telemetry and agentic risk

Overview

MetaClaw is a coherent local memory-management skill, but it should be used carefully because it can read and overwrite local memory files and can send session content to a local Ollama service.

Install only if you want a local OpenClaw memory system that can read and update your workspace memory. Start with --dry-run and auto-fix preview modes, review diffs before using --allow-write, confirm your local Ollama service is trusted, and do not add the cron or heartbeat hooks unless you are comfortable with unattended memory maintenance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
# Try LCM via openclaw command (if available)
    try:
        result = os.popen("lcm_describe 2>/dev/null").read()
        if result:
            return result
    except Exception as e:
Confidence
90% confidence
Finding
result = os.popen("lcm_describe 2>/dev/null").read()

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation describes capabilities that read and write local files, invoke shell commands, install dependencies, and use network-capable components, yet no explicit permissions or safety boundaries are declared. This is dangerous because operators may treat the skill as lower-risk than it is and execute commands that modify memory data, install packages, or access external/local services without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The declared description presents the skill as generic memory management and evolution, but the content also includes static-analysis actions, auto-fix that can rewrite skill files, dependency installation, and references to external local LLM-backed processing. This mismatch increases the chance that a user will invoke broader and riskier behavior than expected, including self-modification and writes to user memory or skill assets.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script's stated job is extracting memory from session content, but it also executes an external command to retrieve content. That expands attack surface and can pull data from an unexpected source or execute a malicious helper if the environment is tampered with, making the behavior riskier than simple file parsing. In a skill handling conversational memory, this can expose or ingest unintended data.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script includes an auto-fix path that can modify skill files, which expands its capability from evaluation into write operations. Even though writes are gated behind --allow-write, this still creates a potentially dangerous surface because an evaluation tool may be invoked in automation or by users who do not fully understand that it can alter repository contents.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code deletes old backup files and empty files under references/, which is a destructive capability not necessary for a pure evaluator. In a skill-management context, this is more dangerous because repositories may contain intentionally empty sentinel files or backups needed for recovery, so invoking the tool with write permissions can cause silent data loss.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README advertises automatic memory extraction and consolidation that can update persistent memory files, but it does not clearly warn users that stored data may be modified automatically. This increases the risk of unintended data alteration, overwriting, or privacy-impacting persistence because users may run the feature assuming it is read-only.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README includes an auto-fix command with `--allow-write` that can modify skill files, but it does not prominently warn that execution changes code or configuration on disk. Users may invoke it expecting analysis only, creating risk of unintended self-modification, corruption of skill contents, or supply-chain style abuse if the fixer behavior is unsafe.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises automatic memory extraction into files like preferences.md and project-state.md and automatic consolidation, but it does not clearly warn that user data will be created, altered, or merged. In a memory-management context this is especially sensitive because silent writes can corrupt user state, introduce inaccurate summaries, or overwrite manually curated information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The cron-based auto-dream consolidation schedules unattended execution of a script that may modify memory files, but the documentation does not clearly warn about automatic state changes during scheduled runs. Unattended writes increase risk because modifications can occur outside user review, making corruption or undesired summarization harder to detect and revert.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits full session content to the Ollama HTTP API for processing without any explicit user warning or consent mechanism. Even though the endpoint is localhost, conversational memory may contain secrets or personal data, and local model servers are still separate processing components that can log, retain, or expose submitted content. In a memory-management skill, this context increases sensitivity because the data is explicitly user/session memory.

Self-Modification

High
Category
Rogue Agent
Content
python3 scripts/skill-eval.py --layer1 skills/metaclaw/

# Auto-Fix (mit --allow-write zum Schreiben)
python3 scripts/skill-eval.py --auto-fix --allow-write skills/metaclaw/
```

### Output
Confidence
96% confidence
Finding
write skill

Self-Modification

High
Category
Rogue Agent
Content
python3 scripts/skill-eval.py --auto-fix skills/metaclaw/

# Auto-Fix (mit Schreiben)
python3 scripts/skill-eval.py --auto-fix --allow-write skills/metaclaw/
```

### Quality Targets
Confidence
96% confidence
Finding
write skill

Session Persistence

Medium
Category
Rogue Agent
Content
### Cron-Job (Optional)

```bash
# crontab -e
# Tägliche Auto-Dream Consolidation (03:00)
0 3 * * * "$HOME/.openclaw/workspace/scripts/memory-digest-enhanced.sh" --auto-dream
```
Confidence
91% confidence
Finding
crontab -e

Session Persistence

Medium
Category
Rogue Agent
Content
### Cron Integration

```bash
# crontab -e
# Auto-Dream tägliche Consolidation (Optional)
0 3 * * * "$HOME/.openclaw/workspace/scripts/memory-digest-enhanced.sh" --auto-dream
```
Confidence
91% confidence
Finding
crontab -e

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal