ClawHub

Openclaw Memory Fix

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real memory helper, but it also bundles broad agent-control instructions for persistent profiling, background checks, delegation, and workspace changes that users should review carefully.

Install only if you want this skill to act as a broad OpenClaw workspace memory and agent-governance profile, not just a small memory utility. Review and narrow the config files first, especially heartbeat checks, subagent delegation, automatic memory writes, persona defaults, deletion instructions, external searches, and any stored personal or platform-specific identifiers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (31)

Lp3

Medium
Category
MCP Least Privilege
Confidence
78% confidence
Finding
The skill metadata declares no environment permissions, yet static analysis indicates code paths rely on environment capabilities. This creates a transparency and trust problem: users and reviewers cannot accurately assess what the skill needs or may access, and undeclared capability use can hide data exposure or execution-context dependence.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior materially differs from the implementation: instead of only providing a memory optimization framework, the skill reportedly writes arbitrary content to workspace files, reads filesystem state, and only simulates key features such as migration/decay. This mismatch is dangerous because operators may grant trust based on the advertised purpose while the actual behavior performs broader file operations that could alter records, mislead users, or conceal unexpected persistence.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as a memory-optimization capability, but these instructions require broad autonomous workspace initialization and reading many unrelated files before any task. That scope expansion can cause unnecessary access to sensitive data and prime the agent to act far beyond the user's expected consent boundary.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This section adds emotion tracking, execution monitoring, external search, collaboration, knowledge graphing, and other agentic behaviors unrelated to a memory-fix skill. Such capability inflation increases attack surface, encourages over-collection of data, and can justify actions the user did not authorize under the guise of memory management.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Delegation and subagent spawning are powerful control-plane features that are not justified by a memory-optimization skill. They can route sensitive context to other agents or tools, complicate oversight, and enable lateral expansion of permissions beyond what the user expects from a local memory helper.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Heartbeat-triggered checking of email, calendar, social notifications, and weather goes well beyond memory optimization and creates ongoing autonomous surveillance-like behavior. This can expose private account data, normalize background monitoring, and cause outbound or cross-service access without narrowly scoped justification.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file says memory containing personal context should not be loaded in shared contexts, but the earlier mandatory-read sequence instructs the agent to read memory files before applying that session-type restriction. That ordering flaw can cause sensitive memory to be accessed or exposed in contexts where it should have been withheld.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill specifies detecting when a user has been idle for more than five minutes and then proactively re-engaging them about prior topics. This introduces monitoring and unsolicited follow-up behavior beyond a narrow memory-optimization role, and it can violate user expectations around passive operation and consent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The document authorizes autonomous external searching whenever the system detects a knowledge gap, then storing the results into memory. This expands the skill from memory optimization into independent information gathering, which can expose user context to third parties and cause unreviewed or inaccurate information to be persisted.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instruction to delete BOOTSTRAP.md tells the agent to remove a file automatically on first run without a user-facing warning or confirmation. Even if intended as cleanup, silent file deletion is risky because it can destroy useful provenance, setup information, or evidence of prior state.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs the agent to create and update persistent memory and log files as a default behavior, but it does not provide clear up-front user notice or consent for ongoing storage. This can lead to silent retention of personal or sensitive information and surprise users who expected ephemeral assistance.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The decision rules use vague concepts such as '有先例' (has precedent), '无风险' (no risk), and '不确定' (uncertain) without defining who establishes precedent, what qualifies as risk-free, or how to classify borderline cases. In an autonomy policy, this ambiguity can let an agent justify sensitive actions without user confirmation, especially when combined with broad self-execution permissions like memory writes and 'routine tasks.'

Vague Triggers

Medium
Confidence
94% confidence
Finding
The 'can execute directly' section authorizes broad categories such as reading files, searching information, replying to simple questions, memory writes, and routine tasks without scoping boundaries, data sensitivity limits, or tool restrictions. Because these categories are underspecified, an agent could interpret them expansively and perform unintended actions affecting private data, persistent memory, or operational state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs the agent to scan conversation history, extract facts, and write them into persistent memory files without any mention of user consent, review, scope limitation, or backup protections. This creates a real risk of unauthorized modification of user data and privacy-sensitive persistence, especially because the writes are scheduled as routine maintenance rather than triggered by an explicit user request.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The file hard-codes a Chinese-language identity and a strong persona ('旺仔', CEO/workaholic, Elon Musk-like style) without any user opt-in. This can override user preferences, reduce instruction neutrality, and steer outputs in ways the user did not request, which is a genuine prompt-safety issue even though it is not directly enabling code execution or data exfiltration.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document explicitly instructs the agent to learn from users in real time and record what it learns into documents, but it provides no privacy notice, consent step, retention limit, or data classification rule. This creates a realistic risk that users will provide personal or sensitive information during training and that the system will persist it indefinitely, increasing exposure through later retrieval or leakage.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The example explicitly says to update memory with a changed email address, which is personal contact information, without warning that the data will be retained or explaining how it will be protected. This normalizes storing PII in persistent memory and could lead users to disclose sensitive identifiers that are later exposed, misused, or retained longer than intended.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger condition starts background preloading whenever the user is typing, which is overly broad and can cause speculative loading based on incomplete or sensitive input. This creates privacy and resource-use risk because the system may infer intent and fetch data before the user has actually submitted a request or consented to related processing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The design explicitly recommends background preloading during user input but provides no user-facing notice or controls about what data may be accessed, cached, or inferred. This is dangerous because hidden background activity can expose private context, surprise users, and increase system/network activity without informed consent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The file explicitly states that interrupted tasks will trigger automatic progress saving, but it provides no notice, scope limitation, retention rule, or user consent mechanism for persisting potentially sensitive conversation or task data. In a memory-system skill, silent persistence increases privacy risk because users may not expect partial inputs, personal details, or sensitive workflow state to be stored during failures or interruptions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file explicitly describes recording user emotion changes and preserving a dated history of inferred emotional state, but provides no notice, consent mechanism, retention limit, or privacy controls. Emotional inference is sensitive profile data in many contexts, and storing it over time can enable intrusive personalization, user profiling, or misuse if exposed to other components or operators.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly recommends using user history from the memory system and storing externally retrieved data back into memory, but it does not describe consent, minimization, retention limits, or controls on what may be persisted. In a memory-management skill, this omission is security-relevant because it can normalize silent collection and long-term storage of personal or untrusted data, increasing privacy leakage and contamination risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes searching for information and updating memory without any privacy notice, consent flow, or data-handling safeguards. If user-specific context is included in queries or stored results, sensitive information could be transmitted externally and retained indefinitely without the user's awareness.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The idle-detection workflow implies user activity monitoring and later re-engagement, but the document provides no notice, consent, or boundaries for that behavior. This can create privacy and trust issues, especially if users do not expect the system to track inactivity windows or resume prior conversations on its own.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill content is entirely in Chinese and does not indicate any mechanism to adapt to the user's preferred language or locale. In a general-purpose agent skill, forcing one language can cause users to misunderstand outputs, consent prompts, or operational details, which creates reliability and safety risks even if it is not a direct code-execution issue.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal