ClawHub

Auto Memory

Security checks across malware telemetry and agentic risk

Overview

This memory skill appears useful for long-term agent memory, but it persists and shares conversation-derived content too broadly and may send memory content to a remote model without clear opt-in or redaction.

Install only if you are comfortable with conversation content being stored long term and potentially reused across agents. Avoid using it around secrets, customer data, regulated data, or proprietary material unless the publisher adds clear opt-in controls, redaction, remote-summarization disclosure, retention limits, and a simple way to inspect and delete stored memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and documents capabilities that read/write persistent files, invoke scripts, use environment data, and interact with an external LLM/network, yet no permissions are declared. This creates a trust and review gap: operators may install it believing it is lower privilege than it actually is, while the documented behavior includes broad access to memory content and persistent storage.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior goes beyond a simple local memory manager: it archives and shares learning data across agents, updates indexes, writes long-term memory, and sends memory fragments to an external LLM for summarization. This mismatch is dangerous because users may consent to benign-seeming memory management without realizing their historical conversation content may be propagated, retained longer, or transmitted off-box.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script appends raw user and assistant conversation excerpts directly into persistent memory and shared knowledge files while claiming sensitive-information protection. Because there is no redaction, classification, consent gate, or masking step, any secrets, personal data, credentials, or proprietary content mentioned in sessions can be permanently stored and later exposed to other tooling or users.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script is designed to write conversation-derived 'shared' errors and best practices into a cross-agent shared directory, expanding access beyond the originating agent. In the context of a memory system that advertises sensitive-information protection, this cross-agent propagation materially increases the blast radius of any captured confidential or user-specific content.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script reads recent memory content and sends up to 1500 characters to a remote chat-completions endpoint without any redaction, consent prompt, or data-classification check. Given the skill description explicitly promises sensitive-information protection, this behavior creates a direct confidentiality risk because memory files commonly contain secrets, personal data, or internal operational context.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly states that all conversations are automatically recorded to session files and important content is extracted into memory files, but it does not warn users about retention, review, consent, or sensitive-data handling. In a memory skill, this omission materially increases privacy risk because users may unknowingly persist secrets, personal data, or regulated information beyond the immediate session.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script silently persists session content and may also copy user-derived material into shared files without any explicit user notice or consent flow. That creates a privacy and compliance risk because users may reasonably expect transient chat handling, not durable storage and cross-agent dissemination.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script silently transmits memory-file content to an external model API with no user-facing warning or confirmation. In the context of an agent memory system, users may reasonably expect local processing, so undisclosed exfiltration of memory content increases privacy and compliance risk even if the remote API is legitimate.

Ssd 3

High
Confidence
99% confidence
Finding
The extraction logic intentionally captures broad user and assistant content and stores it in plain-language markdown files, only truncating for length rather than sensitivity. In an agent-memory context, this creates persistent retention of potentially sensitive conversational data and makes later unintended disclosure much more likely.

Ssd 3

High
Confidence
99% confidence
Finding
The sharing logic copies user-originated error contexts and best-practice content into shared cross-agent files based on simplistic keyword checks like API, network, config, or permissions. Because these checks do not remove secrets or user-specific details, they create a straightforward semantic data-leak channel from one agent's private session into a broader shared corpus.

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
# 创建目录
mkdir -p ~/.openclaw/scripts
mkdir -p ~/.openclaw/workspace/memory/archive
mkdir -p ~/.openclaw/workspace/.learnings/shared
Confidence
90% confidence
Finding
mkdir -p ~/.openclaw/scripts mkdir -p ~/.openclaw/workspace/memory/archive mkdir -p ~/.openclaw/workspace/.learnings/shared # 下载脚本 # extract-memory.sh (v3.0 LLM 增强版) # update-long-memory.sh # 设置权限 c

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal