ClawHub

TokenSaver

Security checks across malware telemetry and agentic risk

Overview

TokenSaver is a real local memory/search tool, but it can index and persist sensitive workspace, profile, business, health, and mental-state data without clear consent or retention controls.

Install only if you are comfortable with a local memory system that may read and retain OpenClaw workspace memory/profile files, query history, summaries, and sensitive personal or business context. Prefer a dedicated test workspace, avoid running the auto-sync/init scripts until reviewed, restrict stored categories, and manually clear ~/.openviking and ~/.openclaw/workspace/.openviking caches when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The cache invalidation logic is inconsistent with how embeddings are actually keyed. add_document/remove_document try to delete cached entries by URI, but get_embedding stores embeddings by an MD5 hash of content, so updated or removed documents leave stale embeddings behind. In a vector search component this can produce incorrect search results, retain deleted content semantically in cache, and break expected data lifecycle behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The test file prepends a hard-coded absolute path to sys.path, which causes imports to resolve from an external local directory before the project under test. In environments where that path exists or is attacker-controlled, this can lead to unintended code being imported and executed during test runs, creating a code execution and supply-chain style risk.

Missing User Warnings

Medium
Confidence
73% confidence
Finding
The FastAPI example exposes a write endpoint that accepts arbitrary user-provided content and persists it without showing any authentication, authorization, validation, size limits, or warnings about storage handling. As published sample code for an agent skill, this can encourage insecure copy-paste deployment, leading to unauthorized data injection, storage abuse, and potential persistence of sensitive or malicious content.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill advertises saving, backup/restore, and automatic compression of user memories without clearly warning that these actions can alter, summarize, or overwrite stored user data. In an agent context, users may reasonably assume storage is passive; undisclosed modification behavior can lead to integrity loss, confusing restores, or unintended retention/transformation of sensitive content.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The function sends the provided query directly to a context-search backend via client.find() without any explicit user notice, consent step, or data-sensitivity check. In an agent setting, queries may contain prompts, secrets, or personal data, so silent transmission to an external or separate retrieval system creates a real privacy and data-governance risk even if the code is not overtly malicious.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script writes a generated summary into a fixed path under the user's home directory without any prior consent, configurability, or safety checks. Because the content is derived from context-database search results and may contain sensitive personal or operational information, this creates a privacy and data-handling risk through unintended persistence to disk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script reads multiple local markdown files, including identity- and memory-related documents, and sends their full contents to an external client via save_memory without any consent prompt, destination disclosure, or data classification checks. In an agent-skill context, this can silently exfiltrate sensitive personal, behavioral, or system-instruction data to a remote service, especially because file names like MEMORY, USER, SOUL, AGENTS, and IDENTITY strongly suggest high-value confidential content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persistently writes recent queries, loaded URIs, and query history to a cache file under the user's workspace without any consent, minimization, encryption, or access-control checks. Because queries and referenced context can contain sensitive business, personal, or operational information, this creates an unintended local data-retention channel and increases exposure to other local users, backup systems, or later compromise of the host.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The indexing routine automatically reads MEMORY.md, context-summary.md, AGENTS.md, USER.md, and memory/*.md and batches their full contents into the vector store. In this skill context, those files are likely to contain highly sensitive prompts, user profile data, long-term memory, and workspace history, so indiscriminate ingestion materially broadens the exposure surface and may leak private data through retrieval, persistence, embedding storage, or downstream components.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The export function writes aggregated stored contexts to any caller-supplied output path, which can expose a large collection of potentially sensitive data in one operation. In an agent/skill setting, this becomes more dangerous because a higher-level workflow could pass untrusted paths or trigger bulk disclosure without meaningful consent boundaries.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The import operation ingests attacker-controlled JSON and writes contexts into persistent local storage without trust validation, schema enforcement, or explicit consent controls. In skill contexts, imported data can poison future retrieval results, overwrite expected records when merge is enabled, and persist malicious or misleading content across sessions.

Ssd 3

Medium
Confidence
95% confidence
Finding
These prompts direct the model to extract, retain, and summarize sensitive personal and health information from conversations as memory-like artifacts, including mental state, sleep routines, supplements, and business-sensitive data. Without explicit consent, minimization, retention limits, and access controls, this creates a substantial privacy risk and increases the chance of unauthorized profiling, over-retention, or disclosure of sensitive attributes.

Ssd 3

Medium
Confidence
97% confidence
Finding
This abstract prompt treats emotional state, routine status, physical stats, supplements, and business details as the AI's ongoing core memory, effectively normalizing persistent profiling of sensitive attributes. In the context of an assistant skill, this is more dangerous because it encourages continuous synthesis of health and mental-condition data into reusable memory, amplifying exposure if the memory store is queried, leaked, or reused outside the user's expectation.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal