ClawHub

Vector Mind Map Fusion

Security checks across malware telemetry and agentic risk

Overview

This is a real semantic-memory skill, but it also has under-disclosed background scanning, credential use, and outbound messaging that users should review before installing.

Install only if you are comfortable with this skill reading OpenClaw session history, storing cross-session memory, and sending memory/query text to the configured embedding service. Review or disable the Lark/Feishu notification path, avoid remote OLLAMA_BASE_URL values unless explicitly trusted, and do not use it on sessions containing secrets until retention, deletion, and redaction controls are clear.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (24)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill declares no permissions, yet its documented behavior and referenced tooling imply access to environment variables, local files, writes to persistent storage, and network services. This creates a trust and review gap: operators may approve or invoke the skill without understanding its actual access level, which is especially risky for a memory system that scans sessions and persists data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
A memory/knowledge-graph skill should not silently include unrelated behaviors such as reading local Lark credential files, requesting tenant access tokens, and sending messages to external users unless clearly disclosed and justified. This mismatch is dangerous because it can exfiltrate conversation-derived data or operational reports through an unexpected external channel using local secrets.

Context-Inappropriate Capability

Low
Confidence
77% confidence
Finding
The configuration grants the skill visibility into an external session-history directory under the user's home directory, which extends its data reach beyond the stated semantic-memory storage paths. In a memory-fusion skill, access to broader agent session logs can enable collection and indexing of unrelated conversations or secrets, increasing privacy and data-minimization risk if other components consume this path.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The checkpoint logic is internally inconsistent: recovery filters previously processed items by content_hash, but the code later saves chunk IDs into the checkpoint set. After a crash or restart, the resumed run may fail to recognize already processed entries and reprocess or duplicate memory records, undermining integrity and potentially causing stale, duplicated, or conflicting semantic memory state. In a memory-consolidation pipeline, corruption of stored knowledge can cascade into later retrieval and reasoning.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The cron entry point performs outbound Feishu messaging and includes operational metadata from L1/L2/L3 processing, which expands the skill beyond its declared memory-fusion purpose. Even if intended as observability, this creates an additional exfiltration channel for internal processing details and user-linked identifiers, increasing privacy and attack surface in a component that should primarily manage semantic memory.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
This code requests a Feishu tenant token and makes external network calls unrelated to core memory-graph construction. In the context of a memory-management skill, hidden external communications are risky because they enable transfer of run metadata and create dependence on locally available secrets not necessary for the stated function.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code reads an application secret directly from a home-directory secrets file at runtime. Accessing local secrets from within a memory-processing skill is dangerous because it grants the component credential access outside its declared scope, and any compromise or misuse of the skill can leverage those secrets for unauthorized API access.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The recall path performs a state-changing write (`update_access`) as part of a read-style query operation, which means simply searching memory mutates metadata such as access counters and warm/cold tiering. In a memory system, this can skew ranking, retention, and lifecycle behavior, and an attacker or buggy caller could repeatedly query selected content to bias promotion or prevent decay without any separate write permission.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger conditions are very broad and map common conversational phrases like '整理一下' or '记住' directly to memory extraction, consolidation, or recall actions. In a memory-management skill that performs persistent storage and scheduled processing, this can cause unintended activation, accidental retention of sensitive content, or retrieval of prior data when the user did not intend to invoke the system.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README describes persistent storage, scheduled scanning of session data, and incremental deletion/modification flows, but does not clearly warn users that conversation content may be retained, transformed, merged, and later recalled. In a semantic memory skill, that omission is security-relevant because users may unknowingly expose sensitive or regulated data to long-term storage and automated processing.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad everyday expressions such as '记住', '整理一下', and '搜索记忆', which can cause unintended activation during normal conversation. In a skill that scans sessions and stores long-term memory, accidental triggering can lead to over-collection, persistence of sensitive content, or background processing the user did not intend.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger-condition table still lacks boundaries, negative examples, and safeguards for when the skill must not run. Because this skill performs durable memory operations and scheduled processing, vague activation criteria increase the chance of collecting or restructuring data without meaningful user intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill describes scanning session data and building long-term semantic memory, but it does not clearly warn users that their content may be persistently stored and cross-session linked. This undermines informed consent and can expose sensitive personal or organizational information far beyond the immediate interaction.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented scheduled scans and incremental background processing mean user data may be processed automatically after the initial interaction, but the file does not warn users about this ongoing behavior. Background handling increases privacy and surprise risks because data may be revisited, consolidated, and archived without a fresh prompt.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The code sends raw chunk content to a local HTTP embedding service without any consent, minimization, or sensitivity gating. In this skill's context, the system is explicitly designed to ingest and remember potentially sensitive user knowledge, including items classified as passwords, tokens, private keys, and credentials, so forwarding raw memory content to another process materially increases privacy and secret-exposure risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The encoder sends raw chunk text to an HTTP embedding endpoint via OLLAMA_BASE_URL, which is environment-configurable and not restricted to localhost or TLS. Because this skill is explicitly designed to store and process user memory and structured knowledge, those chunks may contain sensitive personal or organizational data; if the endpoint is remote, misconfigured, or intercepted, confidential content can be exposed without clear consent or trust validation. The memory-skill context makes this more dangerous because it concentrates long-lived, cross-session sensitive data.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The skill silently consumes Feishu credentials from a local file without any user-facing disclosure in this code path. In a cron-executed background task, this lack of transparency is risky because operators may not realize the job has credentialed outbound messaging capability, making unauthorized data disclosure harder to detect.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
User query text is sent to the embedding service over plain HTTP by default (`http://localhost:11434`), with no transport security or user-facing disclosure. In this skill's context, queries may contain sensitive remembered information, so forwarding them to another service can expose private data to local network interception, unintended service boundaries, or logging outside the memory subsystem.

Missing User Warnings

Low
Confidence
80% confidence
Finding
A recall operation implicitly writes metadata back to the database without clear indication that a read also changes persistent state. While this overlaps with the state-integrity issue above, it is still a real transparency and privacy concern because users and higher-level callers may assume lookup is non-mutating when it actually leaves an access trail and influences future retrieval behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script blindly exports every key/value from .env into the process environment using command substitution and xargs. This is risky because malformed or unexpected .env content can alter runtime behavior, and all spawned child processes inherit sensitive secrets without any minimization or warning, increasing the chance of accidental exposure.

Credential Access

High
Category
Privilege Escalation
Content
# 加载环境变量
if [ -f .env ]; then
    echo "[启动] 加载 .env 配置"
    export $(cat .env | grep -v '^#' | xargs)
fi
Confidence
89% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
# 加载环境变量
if [ -f .env ]; then
    echo "[启动] 加载 .env 配置"
    export $(cat .env | grep -v '^#' | xargs)
fi

# 检查依赖
Confidence
88% confidence
Finding
.env

External Script Fetching

High
Category
Supply Chain
Content
```bash
# macOS/Linux
curl -fsSL https://ollama.com/install.sh | sh
# Windows: https://ollama.com/download
```
Confidence
98% confidence
Finding
curl -fsSL https://ollama.com/install.sh | sh

Chaining Abuse

High
Category
Tool Misuse
Content
```bash
# macOS/Linux
curl -fsSL https://ollama.com/install.sh | sh
# Windows: https://ollama.com/download
```
Confidence
97% confidence
Finding
| sh

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal