ClawHub

claws-dream

Security checks across malware telemetry and agentic risk

Overview

This is a retired local memory-consolidation skill that reads and rewrites OpenClaw memory files, with sensitive behavior largely disclosed and aligned with its purpose.

Prefer the official OpenClaw /dreaming feature when available. Install this retired skill only if you want it to read local memory logs and update long-term memory files; review the memory directory for sensitive content before enabling any daily scheduler.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill metadata says the capability is deprecated and retired, but the prompt still contains full operational instructions to read, write, back up, and rotate files in the workspace. This mismatch can mislead operators into trusting an apparently inactive skill while it still performs state-changing actions, increasing the chance of unintended execution and unnoticed data modification.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file contains operational instructions to immediately create directories, scan logs, build memory indexes, and write reports, which conflicts with the skill metadata claiming the skill is deprecated and retired. This mismatch is dangerous because users or agents may still execute stale automation they believe is inactive, leading to unexpected data access and filesystem modification.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The prompt directs the agent to modify multiple files such as MEMORY.md, memory/index.json, memory/dream-log.md, memory/dashboard.html, and backup files, but does not require an explicit user confirmation or warning before making those changes. In an agent setting, silent workspace mutations create integrity and auditability risks, especially because the skill also marks logs as processed and performs cleanup operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These instructions direct the agent to create directories and multiple files in the project workspace without any explicit user consent, dry-run mode, or warning that local data will be modified. Silent filesystem writes are risky because they can alter repositories, create unintended state, and trigger downstream automation or commits.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The prompt instructs reading all daily log files and extracting decisions, facts, preferences, lessons, and todos into consolidated memory artifacts without any privacy notice, minimization guidance, or consent boundary. This is dangerous because broad log ingestion can collect sensitive personal or project information and re-materialize it into new files, expanding exposure and retention.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Appending reports to dream-log.md and sending a notification derived from scanned memory content can persist and surface user data in secondary artifacts without warning. Derived summaries often concentrate sensitive information, making disclosure easier than in the original scattered logs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The template explicitly encourages long-term storage of sensitive categories such as user information, business metrics, team relationships, technical environment details, and strategic decisions, but provides no privacy notice, consent model, retention guidance, or handling restrictions. In a memory-oriented skill, this increases the chance that operators or downstream agents persist confidential data unnecessarily, creating privacy, compliance, and inadvertent disclosure risk if the memory store is exposed or reused in later prompts.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
When index.json is missing, empty, or malformed, the script silently recreates it and overwrites prior state without backup or confirmation. In a memory-management skill, this can destroy or reset workspace data unexpectedly, especially because malformed JSON or encoding errors are treated as a trigger to reinitialize rather than a recoverable error.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal