ClawHub

Brain CMS

Security checks across malware telemetry and agentic risk

Overview

This is a local memory-system skill, but it persistently changes future agent instructions and private memory files in ways users should review before installing.

Install only if you want a persistent local memory layer that can change future agent behavior and mutate memory files. Back up AGENTS.md and the memory folder first, avoid storing secrets in daily logs or schemas, review REM/NREM changes before relying on them, and prefer running the sleep-cycle scripts manually until you trust the workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# ─── Install ───────────────────────────────────────────────────────────────────
def run(cmd: str, check=True) -> bool:
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    if check and result.returncode != 0:
        print(f"  [WARN] {result.stderr[:100]}")
        return False
Confidence
90% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill declares shell-based install steps that create a virtual environment, install Python packages from external sources, and pull Ollama models. Even if these steps are consistent with the stated memory/vector-store functionality, they expand the attack surface through supply-chain risk and arbitrary shell execution during installation, which is a real security concern for a skill definition.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The docstring states the action should confirm before running, but the implementation proceeds immediately and performs sensitive actions: reading weekly logs, sending them to a local HTTP service, modifying memory files, and writing a persistent log. In an agent-skill context, mismatches between stated safeguards and actual behavior are dangerous because users or orchestration layers may rely on the advertised confirmation step.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger list includes very broad terms such as 'brain', 'memory system', and 'long-term memory', which can cause the skill to activate in contexts beyond its intended use. Overbroad invocation is dangerous because it can unnecessarily introduce persistence, retrieval, or install guidance into unrelated sessions, increasing the chance of unsafe tool use or context contamination.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends raw schema/document chunk text to an HTTP service for embedding generation without any consent prompt, classification, or safeguard around potentially sensitive content. Even though the endpoint is configured as localhost, this still creates a real confidentiality boundary because the local service may be containerized, proxied, logged, exposed remotely, or replaced by a different backend.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script transmits weekly log contents to an Ollama HTTP endpoint without a runtime warning or consent check, and those logs may contain sensitive personal or operational data. Even though the destination is localhost, local services can still be exposed through container port mappings, proxies, shared hosts, or compromise of the local machine.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script appends LLM-generated content directly into persistent memory schema files with no approval, validation, or rollback mechanism. In this context, that can corrupt trusted knowledge files, introduce hallucinated facts, or allow prompt-influenced content from prior logs to become durable state.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This installer performs many writes under the user's ~/.openclaw/workspace, creates directories, copies scripts, creates a virtualenv, installs packages, and modifies or creates AGENTS.md without prompting for confirmation. In an agent-skill context this is more dangerous because users may not realize the skill persistently changes workspace behavior and future agent instructions, which can affect subsequent runs and trust boundaries.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal