ClawHub

Cognitive Compaction State Manager

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to compact OpenClaw memory, but it automatically changes local session state and includes a separate config-changing script with limited user-facing disclosure.

Install only if you want a skill that can modify OpenClaw's local memory state. Before use, review the archive path and understand that invoking the skill can move the active daily memory log and replace it with a compacted file; avoid running the included configuration script unless you intentionally want it to rewrite OpenClaw compaction defaults.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill declares no permissions while invoking an external Python script that, per the findings, reads and writes files and modifies persistent state. This creates a transparency and trust problem: users and reviewers are not informed that activating the skill can alter local configuration and memory/log files.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The declared purpose is token monitoring/compaction, but the skill behavior extends to modifying ~/.openclaw/openclaw.json, rebuilding malformed config, archiving logs, and resetting memory files. That mismatch is dangerous because it hides materially broader and persistent side effects behind an innocuous description, increasing the chance of unauthorized data loss or environment tampering.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill text mainly instructs the model to create a manual summary while delegating the real state-changing behavior to a backend script. This is risky because the documentation acts as an execution trigger for hidden operational effects, making the true behavior harder to audit and easier to misuse.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill executes an external Python script directly from the skill content, which grants broad code-execution capability beyond a simple summarization or compaction prompt. In this context, that is especially dangerous because the script can perform arbitrary local file and configuration operations under the guise of memory management.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill states that logs will be automatically archived and swapped without clearly warning the user that stored task data will be modified. Silent archival/reset behavior can cause confusion, loss of provenance, or accidental destruction of information the user expected to remain unchanged.

Session Persistence

Medium
Category
Rogue Agent
Content
Your objective now is to summarize the granular operational steps you just took into a dense semantic summary. Focus heavily on your overarching goal, what you have successfully done thus far, and what actions remain.

Once you write the summary, the backend script will automatically archive your unstructured logs and swap in your summary.

## Current State Compaction Action:
!python3 ${OPENCLAW_SKILL_DIR:-~/.openclaw/skills/cognitive-compaction}/scripts/flush_state.py
Confidence
88% confidence
Finding
write the summary, the backend script will automatically archive your unstructured logs and swap in your summary. ## Current State Compaction Action: !python3 ${OPENCLAW_SKILL_DIR:-~/.openclaw

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal