ClawHub

OpenClaw Memory Fix Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real memory-helper skill, but it installs broad agent rules that can overwrite workspace behavior, persist personal data, and run proactive background checks beyond simple memory support.

Install only after reviewing and editing the bundled workspace files. Back up your existing ~/.openclaw/workspace, remove the prefilled personal profile and Feishu identifiers, disable proactive email/calendar/social checks, background preloading, emotion and reasoning logs, and commit/push autonomy unless you explicitly want them, and add clear consent and deletion rules for memory writes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (26)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The file authorizes proactive checks of external services such as email, calendar, social notifications, and weather, and says the agent may do some of this without asking first. Even if framed as helpful automation, this expands access to external accounts and can cause unnecessary collection, transmission, or disclosure of sensitive user data beyond the immediate task.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The file explicitly instructs the agent to reveal its internal reasoning process via a step-by-step '思考过程'. Exposing chain-of-thought can leak hidden system guidance, internal memory contents, decision heuristics, and prompt-sensitive logic that attackers can use to jailbreak, extract secrets, or manipulate future behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly claims it will remember user preferences and includes installation steps that copy configuration into a workspace, but it does not clearly warn users that personal data and conversation-derived memory may be stored automatically. This creates a real privacy and transparency issue because users may disclose sensitive information without informed consent or understanding of persistence behavior.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instruction to delete BOOTSTRAP.md automatically on first run directs a destructive file operation without confirmation. This can erase provenance, setup guidance, or audit evidence, and normalizes deleting files based on natural-language instructions rather than explicit user approval.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to create and update persistent memory files as part of normal operation without clear user consent at the time of writing. This creates a silent persistence channel where user data and session details may be stored indefinitely, increasing privacy and compliance risk.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The decision rules use subjective criteria such as '有先例', '无风险', and '不确定' without defining who determines risk, what counts as precedent, or what boundaries apply. In an agent skill, these vague triggers can let the agent self-authorize actions too broadly, especially for borderline cases that should require explicit user confirmation.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Labeling '常规任务(如销售记录、查天气)' as directly executable is overly broad because 'routine task' is not bounded by scope, data sensitivity, or side effects. An agent may interpret many operational tasks as routine and perform them without approval, leading to unauthorized actions or disclosure of business data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The training guidance explicitly instructs the agent to record user corrections and newly learned information into documents and a FEEDBACK-LOG, but it does not mention consent, retention limits, or filtering of sensitive data. This creates a real privacy risk because users may provide personal, confidential, or regulated information during normal interaction, and the process encourages persistent storage by default.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The example '我的邮箱改成 xxx@xxx.com' normalizes storing an email address as training memory without any privacy notice or data-handling controls. Even as an example, it teaches the system to treat personally identifiable information as ordinary long-term memory, which can lead to unintended collection, retention, and later disclosure of user data.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger condition is defined as essentially any time the user is typing, which is overly broad and can activate speculative background behavior without sufficient user intent or contextual gating. In a skill focused on preloading skills and knowledge, this can lead to unnecessary data access, excess resource consumption, and privacy-invasive inference about user intent before the user explicitly submits a request.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document promotes background preloading of skills and knowledge but does not mention user notice, consent, or boundaries around what data may be fetched or inferred. That omission is dangerous because speculative background loading can expose private context, trigger unintended network or tool activity, and create hidden system-impact costs without user awareness.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document states that interrupted tasks will trigger automatic progress saving, but it does not mention any user notice, consent, storage scope, retention limits, or protection of the saved data. In a memory-related configuration, silently persisting partial task state can expose sensitive user inputs or operational context and creates privacy and data-handling risk if the saved state is later accessed, synced, or reused unexpectedly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file explicitly documents recording users' emotional changes and retaining a dated history log, but provides no notice, consent mechanism, retention limit, or access controls for this sensitive behavioral data. Emotional-state tracking can reveal mental health, vulnerability, and personal patterns, so silent collection and storage creates a privacy and profiling risk if users are unaware or if the data is later misused.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly describes automatically searching for external information and then storing the results in memory, but it does not require user consent, disclose network access, or define retention boundaries. This can expose user queries or contextual data to external services and create privacy risks through silent persistence of potentially sensitive information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes detecting when the user has been idle for more than five minutes and then proactively resurfacing prior topics, without warning or consent. This creates a surveillance-like interaction pattern and may reveal retained context at unexpected times, which is especially risky in shared-device or sensitive-conversation settings.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly describes using 'historical habit analysis' to predict user intent, but it provides no notice, consent mechanism, or limits on what history is collected and retained. This creates a privacy risk because behavioral profiling can infer sensitive preferences or habits without the user's informed consent, and the predictive context makes the issue more concerning rather than less.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow performs background precomputation and preloading based on predicted intent before explicit user confirmation. Even if results are later discarded, these speculative actions may access data, consume resources, or trigger network activity the user did not knowingly authorize, which is especially risky in examples involving finance or wallets.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly proposes logging per-task reasoning details, memory sources, and tool usage, which can capture sensitive user data, internal decision traces, and operational metadata without any notice, minimization, or retention limits. Even if presented as a reflection feature, storing detailed reasoning logs increases privacy and prompt-leakage risk because those logs may contain personal data, secrets from memory files, or sensitive intermediate analysis not needed for normal operation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example shows reading user memory files and calling an external weather API, but it does not disclose that user-associated data may be accessed locally or transmitted to a third party. This creates a transparency and privacy problem because users may not expect memory contents, preferences, or derived context to influence external requests, especially if no data-sharing boundary or minimization policy is stated.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger mapping uses very broad intents such as '画图', '查天气', '写代码', and '交易' without any scope checks, disambiguation rules, or authorization gates. In an agent system, this can cause unintended module activation from ambiguous user input, increasing the chance of invoking higher-risk capabilities like finance or code tools when not actually intended.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill advertises persistent storage of user preferences and learning from prior interactions across sessions, but it does not define consent, minimization, data classification, or limits on what may be retained. In a memory-oriented skill, this is especially risky because users may expose sensitive personal, behavioral, or confidential workspace information that is then retained indefinitely.

Ssd 3

Medium
Confidence
97% confidence
Finding
The automatic logging rules direct the system to create daily memory, automatically record completed tasks, and immediately write data when the user says 'remember,' which can capture sensitive interaction content without contextual safeguards. Because the skill is specifically designed for long-term memory and automated recordkeeping, the absence of filtering, consent checks, and secret redaction makes accidental retention of sensitive data more dangerous.

Ssd 3

Medium
Confidence
96% confidence
Finding
The memory rules require the agent to persist user-provided information whenever it is deemed important or when the user says 'remember this.' Mandatory retention increases the chance of storing sensitive personal data, secrets, or contextual details longer than necessary, especially since the policy encourages broad capture of decisions, lessons, and context.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to infer user emotions from messages and persist them in an emotions log. Emotional-state data is sensitive behavioral data, and storing inferred traits without explicit informed consent creates significant privacy risk and potential misuse.

Ssd 3

Medium
Confidence
94% confidence
Finding
A requirement to record all read/write operations in an audit log is overbroad and likely to capture sensitive filenames, contents, and interaction metadata. In a personal workspace with memory files and private context, such logging can become a secondary sensitive datastore and magnify exposure if accessed or leaked.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal