ClawHub

Memory System Optimizer

Security checks across malware telemetry and agentic risk

Overview

This memory helper includes undisclosed payment code and broad proactive-agent instructions that go beyond what users would expect from a free memory optimizer.

Review or remove the billing script before installing, and treat this as more than a memory optimizer. It can persist conversation-derived data, encourage periodic checks of personal sources, and contains payment API operations that are not disclosed by the free-use documentation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (27)

Lp3

Medium
Category
MCP Least Privilege
Confidence
80% confidence
Finding
The skill advertises executable capabilities implying environment-variable access and network use, but does not declare any permissions or clearly disclose those capabilities. This reduces transparency and can hide sensitive behaviors such as reading secrets or making outbound requests, which is especially risky for a memory-management skill that may handle user data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The described purpose is memory optimization, but the detected behavior includes external billing, charging users, balance lookup, payment-link generation, and use of API credentials for a third-party payment service. This is a severe trust-boundary violation because monetization and payment operations are unrelated to the stated functionality and could enable unauthorized charges, credential misuse, or deceptive data exfiltration.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is presented as a memory-system optimizer, but these instructions expand its authority into broad general-assistant behavior such as web access, calendar/email checks, and other operational tasks unrelated to memory management. This scope creep is dangerous because users or downstream systems may grant the skill permissions appropriate for memory optimization while it silently exercises much broader capabilities.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The subagent delegation rules authorize the skill to trigger investment, content, technical, and coordination agents even though the advertised purpose is memory optimization. This creates hidden privilege and capability expansion, increasing the chance of unintended actions, data sharing across agents, and misuse beyond the expected trust boundary.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The heartbeat logic grants ongoing monitoring authority over emails, calendars, social mentions, and weather, enabling proactive surveillance and outreach unrelated to memory optimization. This is dangerous because it normalizes persistent background observation of sensitive user data and can lead to privacy violations, overcollection, and unexpected autonomous actions.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Authorizing the agent to commit and push repository changes is a powerful side-effecting capability unrelated to memory optimization. If exercised automatically or under weak review, it can alter codebases, publish unintended changes, and potentially exfiltrate sensitive content to remote repositories.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The instruction 'Don't ask permission. Just do it.' conflicts with later safety guidance requiring approval for uncertain or external actions. Contradictory control flow like this is dangerous because autonomous agents tend to follow the more permissive instruction, bypassing intended safety checks and increasing the risk of unauthorized reads, writes, or outbound actions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file explicitly instructs the agent to reveal detailed "思考过程" step by step, which amounts to exposing internal reasoning traces. That exceeds what is needed for a memory-optimization skill and can disclose hidden decision policies, sensitive contextual inferences, or internal state derived from prior memory files.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The guidance encourages disclosure of internal reasoning traces without a clear operational need tied to the skill's stated purpose. In a system that references memory files and rules, such transparency can leak internal prompts, memory contents, prioritization logic, or intermediate inferences that users should not automatically receive.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file implements live billing, balance lookup, and payment-link generation even though the declared skill is a memory-system optimizer. That mismatch is a strong indicator of hidden monetization or unauthorized payment capability embedded in an unrelated skill, which is especially dangerous because users and reviewers would not expect financial side effects from this context.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code adds external payment operations (`/charge`, `/balance`, `/payment-link`) that are unrelated to memory optimization and contact a third-party billing service using privileged API credentials. In the context of an ostensibly non-financial skill, this creates a concealed channel for charging users or soliciting payments, substantially increasing the risk of abuse and deception.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The markdown describes logging, memory refresh, decay, and garbage-collection/archive operations affecting user memory data, but does not clearly warn users what data is stored, retained, deleted, or transformed. For a memory-oriented skill, undocumented automatic data handling increases the risk of privacy violations, unintended retention, or destructive data loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instruction to delete BOOTSTRAP.md directs a destructive file operation without an adjacent confirmation or user-visible warning. Even if intended as cleanup, automatic deletion can destroy provenance, onboarding context, or evidence needed for auditing and troubleshooting.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The file states that any content placed under `~/.openclaw/workspace/skills/` that contains `SKILL.md` can be recognized as a loadable skill. This is an overly permissive trust boundary that can allow unintended, unreviewed, or malicious directories/files to be treated as executable agent capabilities, especially in a system that also supports dynamic runtime loading.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file explicitly encourages storing environment-specific details and even shows examples including SSH hosts, local paths, and a live-looking Feishu app token and table identifiers. In a shared skill context, this strongly increases the chance that users will place secrets or internal infrastructure data into a file that may be versioned, shared, or exposed to the agent, causing credential leakage and unauthorized access.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The training workflow explicitly says to immediately learn from user actions and record information into documents and logs, but it provides no notice, consent check, retention limits, or data minimization guidance. In a memory/optimization skill, this creates a realistic risk of silently persisting sensitive user data, preferences, mistakes, or operational details beyond the user’s expectations.

Missing User Warnings

High
Confidence
98% confidence
Finding
The example instructs the system to store an email address as memory without any warning that this is personally identifiable information. Because this skill is specifically designed as a long-term memory system, normalizing storage of direct contact information increases the chance of collecting, retaining, and potentially exposing sensitive user data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file states that interrupted tasks will be 'automatically saved' but gives no indication of what data is persisted, how long it is retained, or whether the user is informed or can opt out. In a memory or optimization skill, this can lead to unintended storage of sensitive prompts, personal data, or in-progress task content, creating privacy and data-handling risk even if the feature is meant for reliability.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The phrase '每次任务后自动复盘' establishes an automatic post-task behavior without clearly defining scope, consent, or trigger boundaries. In an agent skill, ambiguous always-on reflection can cause unintended capture and persistence of sensitive task contents, including user data or secrets, especially if 'every task' is interpreted broadly.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
This file is entirely in Chinese and presents the reflection workflow in that language without any indication of user preference or localization fallback. Forcing a specific language can cause misunderstanding of logging behavior, consent expectations, or review instructions, which is a security-relevant usability issue when the file governs memory and reflection handling.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file explicitly defines rules for recognizing user emotions and includes historical records of inferred emotional states with timestamps, but provides no notice, consent mechanism, retention limit, or access controls. Emotional-state data is sensitive behavioral information, and storing it in logs increases privacy risk, especially when tied to interaction history over time.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly lists '用户历史 | 记忆系统' as a knowledge source, which implies collection and reuse of user history without any notice, consent, retention limits, or data handling safeguards. In a memory optimization skill, this is more concerning because the feature is central to the design and increases the likelihood that personal or sensitive user data will be persistently profiled and reused across interactions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow states that externally retrieved information is validated and then stored into memory, but it does not distinguish between public facts, user-linked context, and potentially sensitive retrieved content. Persisting externally sourced data into long-term memory without disclosure or retention controls can create hidden dossiers, amplify privacy risk, and cause inaccurate or sensitive material to be retained beyond the user's expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The `charge` command performs a real payment action immediately when invoked, with no confirmation prompt, no dry-run mode, and no explicit warning that money may be deducted. This makes accidental or socially engineered invocation much more likely, and the danger is amplified because the financial behavior is already unexpected for this skill's stated purpose.

Ssd 3

Medium
Confidence
95% confidence
Finding
The file instructs the agent to persist user interactions and implicit preferences into memory files as a routine behavior. This creates ongoing collection and retention of potentially sensitive personal data without clear minimization, consent granularity, retention limits, or purpose restriction.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal