ClawHub

Meili Memory Skill

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for local memory search, but it installs persistent system services and cron jobs and indexes private memory automatically with weak user control.

Install only if you are comfortable with a sudo installer that creates a systemd service, adds an hourly cron job, and indexes OpenClaw memory files into MeiliSearch. Review install.sh first, keep MEILI_HOST local unless you intentionally trust another endpoint, protect or rotate the printed master key, and manually inspect distillation output before using --apply.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The installer creates persistent automation via cron and immediately runs the indexer, causing ongoing host changes beyond a one-time local install. In a memory-search skill, automatic recurring indexing may be functionally related, but it still introduces persistence and repeated execution without explicit user consent or visibility, which increases risk if the indexer later changes or handles sensitive data.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script installs and enables a systemd service, modifying host init/system management and creating persistent background execution. While running MeiliSearch as a service is operationally sensible for a local search backend, it still exceeds a simple user-space skill install and expands attack surface if the service is misconfigured or later abused.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script performs memory distillation and appends derived content into MEMORY.md, which is a file-mutation capability beyond the skill’s declared local search/recall scope. This creates an integrity risk because user notes can indirectly influence long-term memory content, and the behavior may surprise operators who expect read-only search functionality.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
When run with --apply, the script appends extracted facts into MEMORY.md and automatically triggers reindexing, meaning untrusted note content is promoted into persistent memory and operational pipelines. Even with some filtering, this can enable memory poisoning, persistence of misleading instructions, or retention of sensitive content that the heuristics fail to detect.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The installer generates a MeiliSearch master key and injects it into a systemd service definition and later into scripts, while also printing it to stdout. Storing and propagating a high-privilege secret in multiple files and process-visible locations increases the chance of credential exposure and unauthorized administrative access to the search service.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The installer rewrites user skill files and installs a persistent cron job without an explicit warning that it is making ongoing local changes. This is dangerous because it silently alters executable content and schedules future execution, making later troubleshooting, trust decisions, and compromise detection harder.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script reads local memory files and indexes their contents into MeiliSearch without any explicit user consent, visibility, or confirmation at the point of export. Although MeiliSearch is described as self-hosted, this still transmits potentially sensitive workspace memory to an external service endpoint defined by MEILI_HOST, and users may not realize indexing exposes that data beyond flat files.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal