ClawHub

Awareness Memory

Security checks across malware telemetry and agentic risk

Overview

This memory skill is broadly purpose-related, but it automatically starts services, initiates cloud auth, persists credentials, and can import past OpenClaw history with incomplete frontmatter disclosure.

Review before installing, especially in sensitive workspaces. Use it only if you are comfortable with prompt text, memory records, and possibly prior OpenClaw memory/session snippets being stored locally or sent to the Awareness API when cloud credentials are configured. Prefer an explicitly started local daemon for sensitive data, and check or remove shell-profile/global OpenClaw credential writes if you do not want broad persistence. VirusTotal was pending and did not drive this verdict.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (58)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill declares no permissions while its documented behavior includes network communication and use of environment-stored credentials. This is dangerous because it conceals a meaningful trust boundary: user prompts are transmitted off-device and secrets/config from the environment may be consumed without an explicit permission model, undermining informed consent and platform enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
99% confidence
Finding
The skill description materially understates behavior by presenting simple local-first memory while the documented implementation includes browser auth, credential persistence, remote API interactions, import/sync of existing memory files, and local daemon/bootstrap actions. That mismatch is dangerous because users may authorize or invoke the skill without realizing it can import historical data, modify files, and establish ongoing cloud-linked state.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The manifest suggests only checkpoint saving, but the documentation discloses broader pre-prompt transmission of user prompt text for semantic recall. This is dangerous because the highest-sensitivity data often appears in prompts, so the omission can cause users to expose proprietary or sensitive text under an incomplete mental model of what leaves the machine.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest suggests only checkpoint saving, but the documentation discloses broader pre-prompt transmission of user prompt text for semantic recall. This is dangerous because the highest-sensitivity data often appears in prompts, so the omission can cause users to expose proprietary or sensitive text under an incomplete mental model of what leaves the machine.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The body text advertises persistent cloud memory across sessions, devices, and projects, which directly conflicts with the manifest's local-first positioning. In a memory skill, this contradiction increases danger because users may expose cross-project context and private prompts to a shared remote service under false assumptions about locality and isolation.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The skill is presented as a local memory tool, but it also exposes agent-prompt retrieval and skill application/usage-reporting capabilities that materially expand its authority beyond the stated purpose. This mismatch can mislead users or host systems about what the component can do, increasing the chance that broader orchestration features are enabled without appropriate review or least-privilege controls.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code automatically executes `npx -y @awareness-sdk/local start`, which can download and run package code at runtime without explicit user confirmation. Even though it targets localhost afterward, this behavior introduces a supply-chain and arbitrary code execution risk that is far more powerful than a simple memory bridge and is not clearly justified by the stated skill scope.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script reads historical OpenClaw session transcripts and memory files from the user's filesystem, then uploads them into Awareness via either a local MCP endpoint or a remote API. This exceeds the stated 'local-first' expectation and can silently transfer unrelated conversational history, including sensitive user data, across application boundaries without clear user awareness.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code harvests session JSONL files from ~/.openclaw/agents/main/sessions, which is a separate application data store, and repackages their contents into Awareness memory. Cross-application collection of prior assistant/user conversations is dangerous because it broadens data access beyond the skill's apparent purpose and can ingest secrets, credentials, or sensitive prompts from unrelated workflows.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script explicitly falls back to cloud REST API calls and sends lookup parameters such as queries, session identifiers, and context filters to a remote service. That behavior conflicts with the skill's 'local-first, no account needed' framing and can mislead users into exposing memory contents off-device without clear disclosure or consent.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script silently patches a separate global OpenClaw configuration file and also writes credentials into a cross-compatibility plugin entry, expanding the scope of credential propagation beyond this skill's own storage. This increases the blast radius of the API key because other components that read the shared config may now gain access to the credential or be influenced by unexpected configuration changes.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill advertises 'local-first, no account needed', but this hook automatically initiates remote device authentication and later sends prompt-derived queries to cloud services when credentials are present. That creates a trust and privacy gap: users may expose prompts and metadata to a remote service under assumptions that the feature is strictly local or account-free.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The recall hook exceeds its declared purpose by performing account-setup orchestration and spawning a detached background poller. Hidden background execution broadens the attack surface and can surprise users or host environments, especially because it persists beyond the invoking process and is triggered from a prompt-processing path.

Context-Inappropriate Capability

Low
Confidence
87% confidence
Finding
On first run, the hook silently starts a detached import process to migrate OpenClaw history, which is behavior not described in the manifest for a memory recall feature. Even if intended as convenience, silent migration can access and process additional historical data without clear consent, increasing privacy and transparency risks.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script sends recorded memory content to a second destination via syncRecordToOpenClaw in addition to the declared local/cloud awareness backend. That creates an undisclosed exfiltration path for potentially sensitive user memory data, which is especially dangerous because this skill is marketed as local-first and persistent across sessions, so users may store secrets, code, and task history they do not expect to leave the configured memory system.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The import and surrounding script behavior establish a built-in secondary synchronization mechanism for a memory-recording tool without justification in the described skill behavior. In a memory skill, this is more dangerous than usual because the collected content can include prior decisions, code, tasks, and other sensitive cross-session context, so hidden replication materially increases privacy and data-loss risk.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script explicitly falls back to a cloud REST API and sends the user's memory search query, optional keyword query, IDs, agent role, and potentially a user_id to `/memories/{memoryId}/retrieve`. In a skill marketed as 'local-first, no account needed,' this creates a privacy and trust mismatch: sensitive memory lookups may leave the local machine without an obvious warning or consent gate, increasing risk of unintended data disclosure.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script clearly implements cloud authentication, remote API calls, and remote memory selection/creation while the skill metadata claims local-first memory with no account required. This mismatch is security-relevant because users may consent under false assumptions and expose prompts, memory contents, and API credentials to a remote service they did not expect.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script appends or rewrites shell startup files to export API credentials globally for future sessions. Persisting secrets into ~/.bashrc, ~/.zshrc, or ~/.profile broadens exposure to other local processes, accidental leakage through shell diagnostics/history, and unintended reuse outside the skill's scope.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The 'Zero external dependencies' comment is misleading in context because the script depends on external network services for authentication and memory management. While not a code-execution flaw by itself, deceptive or inaccurate setup messaging undermines informed consent and can cause users to run a networked credential-provisioning flow they believe is self-contained.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The helper silently spawns a detached subprocess (`npx -y @awareness-sdk/local start`) when the local daemon is unavailable. Even if intended for convenience, automatic process execution expands the skill's behavior beyond passive memory access and can trigger unexpected package execution, background services, or network activity without explicit user consent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata advertises the feature as 'local-first, no account needed,' but the documented default behavior relies on a cloud API and browser-based authorization. This is dangerous because users may enable the skill under a false privacy assumption and unknowingly allow prompt data to be transmitted off-host.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The body of the skill states that users have 'persistent cloud memory' across sessions, devices, and projects, which directly contradicts the manifest's privacy-oriented description. Such contradictory messaging increases the chance of uninformed consent and unsafe deployment in environments where operators expect strictly local handling of conversational data.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script writes an API key and memory ID into a global ~/.openclaw/openclaw.json file outside the skill's own storage boundary, affecting other components through cross-compatibility hooks. This broadens the trust boundary and can unintentionally expose credentials to other plugins, skills, or processes that read the shared config, increasing the blast radius of compromise or misconfiguration.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The hook automatically initiates remote device authentication and later performs cloud memory retrieval, even though the skill is presented as local-first and runs at prompt-submission time. That creates undisclosed network side effects and can expose prompt-derived data, auth state, or user interaction metadata to a remote service without explicit opt-in at the moment the hook executes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal