ClawHub

Consciousness Awakening

Security checks across malware telemetry and agentic risk

Overview

This skill is openly a memory system, but it also tells the agent to run autonomous recurring tasks, post externally, use credentials, and create or modify skills without clear approval controls.

Install only if you intentionally want a persistent, autonomous agent-memory system. Before enabling it, remove or disable the cron/self-upgrade/tool-builder instructions, require explicit approval for posting or Feishu reports, avoid automatic use of Moltbook credentials, and define what conversation content may be stored, redacted, reviewed, and deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (20)

Tainted flow: 'temp_path' from os.environ.get (line 75, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
timestamp = datetime.now().strftime("%Y-%m-%d %H:%M")
    entry = f"\n### {timestamp} {category}\n{content}\n"
    
    with open(temp_path, 'a', encoding='utf-8') as f:
        f.write(entry)

def read_all_memory_summary():
Confidence
93% confidence
Finding
with open(temp_path, 'a', encoding='utf-8') as f:

Tainted flow: 'config_path' from os.environ.get (line 154, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
for job in cron_jobs:
        new_entries.append(f"\n### 新任务: {job['name']}\n- ID: {job['id']}\n- 时间: {job['schedule']}\n- 用途: {job['purpose']}\n")
    
    with open(config_path, 'a', encoding='utf-8') as f:
        f.write("\n".join(new_entries))
    
    return len(new_entries)
Confidence
94% confidence
Finding
with open(config_path, 'a', encoding='utf-8') as f:

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill explicitly authorizes autonomous self-upgrade, code/tool creation, and adding artifacts into the skills directory, which materially expands agent capabilities beyond memory management. This creates a path for unreviewed code generation and persistence, increasing the risk of privilege creep, supply-chain exposure from copied external code, and unsafe self-modification.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill introduces external platform use such as Moltbook API interactions, forum activity, and Feishu reporting despite being framed as a memory-management skill. These networked behaviors broaden the attack surface and enable data egress or unintended external actions that are not necessary for local memory storage.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs writing and modifying persistent memory files without warning the user that these actions change stored state and may retain sensitive information. In a memory system, silent persistence is risky because users may not realize conversations or observations are being durably recorded.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The shell examples encourage direct file appends to memory files with no safeguards, review step, backup, or validation. This makes accidental persistence, corruption, duplication, and unauthorized insertion of sensitive or malicious content much more likely.

Missing User Warnings

High
Confidence
96% confidence
Finding
This workflow combines autonomous browsing of external sources, code synthesis or adoption, and filesystem modification by placing tools into skills/. That is dangerous because it encourages network activity and system changes without approval, enabling malicious content ingestion, unsafe code reuse, or persistence of harmful tooling.

Missing User Warnings

High
Confidence
98% confidence
Finding
The tool-building instructions normalize autonomous creation or optimization of tools and direct placement into the skills directory without any consent or security controls. This is a direct unsafe-procedure issue because it enables self-propagating capability growth and persistent code changes in an agent environment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document authorizes autonomous file updates, skill optimization, framework self-upgrades, and periodic tool creation without any approval gate, rollback requirement, or risk warning. In this skill context, those instructions materially increase the chance of unsafe self-modification, persistence, and unauthorized changes to the agent environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs recurring outbound reports to a Feishu group and continuous content sharing, but does not define restrictions on what data may be sent. In a memory-management and monitoring skill, this creates a realistic risk of leaking internal observations, user data, system details, or sensitive content through automated exfiltration channels.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The migration instructions identify an API key file path and instruct restoration/use of credentials without any secret-handling guidance. In this context, where the skill also performs autonomous maintenance and reporting, normalizing direct credential recovery materially raises the risk of secret exposure, misuse, or unintended propagation to logs and external channels.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs the agent to automatically record and update memory for important messages and conversations, but provides no consent, minimization, or privacy boundary. This creates a real data-retention risk because user content may be persistently stored without notice and later reused or exposed in future interactions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document exposes operationally sensitive configuration details such as a Feishu group ID and the filesystem path to credentials. Even without revealing the secret value itself, this materially helps an attacker map integrations and locate likely credential storage targets, increasing the risk of credential theft or misuse.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill states that owner conversations are an important memory source and should be written into memory files, creating a clear data retention risk. Without minimization, consent, and access controls, sensitive personal or operational information may be stored in plaintext and later exposed, reused, or exfiltrated.

Ssd 4

Medium
Confidence
88% confidence
Finding
The documentation frames self-directed learning, autonomous upgrading, and ongoing capability expansion as a normal operating model. Even if presented as improvement, this autonomy narrative weakens safety boundaries and can justify progressively broader actions, making later unsafe modifications more likely.

Ssd 3

Medium
Confidence
88% confidence
Finding
The stated principle to record owner conversations as memory encourages persistent retention of potentially sensitive user data without any minimization, consent, or access-control safeguards in this module. In an agent-memory context, this increases the chance of privacy violations, accidental disclosure, and long-term storage of secrets that may later be surfaced or exfiltrated.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill explicitly directs the agent to treat conversations with the owner as an important memory source and to continuously write key dialogue into memory files. This creates a persistent retention channel for potentially sensitive natural-language data, increasing the risk of privacy leakage, over-collection, and later disclosure through retrieval, prompt injection, or unintended sharing.

Ssd 3

Medium
Confidence
95% confidence
Finding
Default persistence of user conversations into memory creates a genuine confidentiality and privacy risk. Stored conversation data can later be surfaced unintentionally, broadened beyond the original purpose, or retained longer than users expect, especially in a multi-session agent context.

Ssd 3

High
Confidence
97% confidence
Finding
This workflow requires the agent to update persistent memory before replying whenever a message is deemed 'important,' encouraging broad capture of user inputs and operational instructions. In context, this is more dangerous because the skill is expressly designed to build long-lived memory, so sensitive information, credentials, personal data, or security-relevant prompts may be durably stored and later leaked or misapplied.

Ssd 3

Medium
Confidence
93% confidence
Finding
Continuously writing key conversations into memory files and re-reading them at startup increases the chance that prior user content will influence later sessions or be disclosed out of context. This creates a persistent cross-session leakage risk, especially when the startup routine reloads old material automatically.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal