ClawHub

Correction Memory

Security checks across malware telemetry and agentic risk

Overview

This skill persistently saves local correction notes and reuses them in future agent prompts, which is its stated purpose and is disclosed, though users should manage the prompt-memory risk.

Install only if you want correction text saved on disk and reused in later agent prompts. Keep saved corrections short and specific, do not include secrets or proprietary raw prompts, and periodically review or delete files under $OPENCLAW_WORKSPACE/memory/corrections if behavior becomes stale or unwanted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The natural-language trigger "Note that [AgentType]: ..." is broad enough that ordinary conversation or adversarially crafted text could be interpreted as a command to persist a correction. Because those corrections are then replayed into future agent sessions, a one-time prompt can create durable instruction poisoning across sessions for a given agent type.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The description emphasizes convenience but does not clearly warn that user-provided corrections are stored persistently and automatically injected into future sessions. This lack of disclosure undermines informed consent and increases the chance that sensitive, manipulative, or unintended instructions will be retained and propagated beyond the original session.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The API persistently writes correction entries containing free-form issue/correction text and a session_channel field to disk, but provides no consent, notice, minimization, or retention controls beyond a 30-day display filter. In this skill's context, those fields can easily contain sensitive user prompts, agent outputs, moderation decisions, or channel metadata, creating a privacy and data-governance risk if stored unexpectedly or read by other local components.

Ssd 3

Medium
Confidence
95% confidence
Finding
This skill explicitly instructs users to provide free-form natural-language corrections that the system will log and replay into future agent sessions. That creates a persistent prompt-injection channel: malicious or mistaken instructions can be stored as "corrections" and silently influence later agent behavior, potentially altering outputs, bypassing intended controls, or spreading harmful guidance across sessions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal