ClawHub

Hui-Yi

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent local memory skill, but its optional hook can persistently log message snippets and metadata and automatically update long-lived memory files, so it needs user review before install.

Install only if you are comfortable with a local memory tool that changes persistent memory files. Before enabling the hook, run the dry-run installer, inspect templates/hook/handler.ts, back up memory/cold and openclaw.json, and consider removing or disabling hook.log body/metadata logging for sensitive conversations. Do not store secrets in the memory files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises operational capabilities including shell execution and file read/write access, but declares no permissions. That creates a trust-boundary failure: users and tooling cannot accurately assess or constrain what the skill may do, increasing the chance of unintended filesystem modification or command execution. In a memory-management skill, these capabilities may be expected, but they still need to be explicitly disclosed because the skill also references scripts that mutate files and install hooks.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The declared description frames the skill as a narrow trigger for cold-memory recall/archive work, but the referenced behavior is substantially broader: rewriting indexes and state, installing hooks, processing live chat context, scheduling, and mutating review metadata. This mismatch is dangerous because it can mislead users and automated policy systems into granting trust to a skill that performs broader persistence, automation, and integration actions than advertised, including modifications to configuration like openclaw.json.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The playbook explicitly says it is used to organize daily notes, which conflicts with the skill's metadata excluding fresh daily notes. That mismatch can cause the agent to operate on broader, more current memory than intended, increasing the chance of mis-scoped archival actions and unintended data movement.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The routing table directs content into MEMORY.md, TOOLS.md, .learnings/, AGENTS.md, and SOUL.md, which expands behavior well beyond cold-memory archive work under memory/cold/. This scope expansion can let a trigger for one narrowly defined skill modify unrelated persistent stores, undermining least privilege and making cross-memory contamination more likely.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script installs files into the workspace hooks directory and can automatically enable an internal hook in a shared configuration file. That is privileged, behavior-changing functionality that exceeds the skill's declared cold-memory/archive purpose, creating an unexpected execution path and persistence mechanism if the skill is installed or invoked. The mismatch between stated purpose and actual capability makes this more dangerous because users may grant trust based on the memory-management description while the script modifies runtime behavior.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
These constants define default paths for deploying a hook into the workspace and modifying the parent-level openclaw.json configuration, embedding hook installation capability directly into a skill whose stated purpose is memory recall/archive work. Even without direct exploitation, this creates an unnecessary privilege boundary violation and increases the risk of covert persistence or behavioral modification under an unrelated feature label.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The hook writes broad context metadata and a preview of user message content to a workspace log file before determining whether the event is relevant. That creates unnecessary collection and persistence of potentially sensitive conversation data, expanding exposure beyond what is needed for cold-memory recall and increasing privacy and data-minimization risk.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The hook can activate on broad heuristic phrases such as 'remember', 'history', or similar text even when the hui-yi skill was not explicitly selected. In a memory/archive skill, that means ordinary conversation can implicitly trigger cross-session memory processing and file updates, which is dangerous because it weakens user intent boundaries and can cause unintended retention or resurfacing of prior data.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger conditions include broad terms like archive, cool, and cleanup without clear scope boundaries. In an agent setting, ambiguous activation language can cause the skill to run during ordinary maintenance requests and perform archival or restructuring actions the user did not specifically intend.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persists user message previews and metadata to disk without any visible consent, warning, or runtime disclosure. Even if intended for debugging, silent storage of conversational content can violate user expectations and increase the blast radius of a local compromise or accidental data sharing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The hook rewrites note files and tags.json as part of its activation flow, updating session metrics and history based on message content. In a memory-management skill this behavior is expected functionally, but it is still risky when performed automatically without clear notice because it changes stored user data and can create unintended persistence across sessions.

Ssd 3

Medium
Confidence
95% confidence
Finding
The hook stores plain-language message previews plus rich metadata in a persistent log under the workspace, which can expose sensitive personal or organizational information if the workspace is accessed by others. Because the data is readable and linked to conversation context, it increases confidentiality risk beyond the narrow needs of the feature.

Ssd 3

Medium
Confidence
89% confidence
Finding
The intent detector treats common 'remember/history' phrasing as sufficient to trigger memory-related behavior, which can convert ordinary language into permission for persistence and reactivation of prior content. In the context of a cold-memory/archive skill, this is particularly sensitive because the feature's purpose is long-lived recall across sessions, so overbroad triggers can lead to unintended profiling or retention.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal