ClawHub

memory-compression-system

Security checks across malware telemetry and agentic risk

Overview

The skill is generally aligned with memory compression, but its installer can start recurring background automation without a clear opt-in.

Install only if you want this skill to read and copy OpenClaw memory, create retained compressed files and backups, and potentially run every 6 hours. Before running install.sh or enable.sh, review the cron job behavior, retention settings, and config file, and know how to remove the scheduled job with disable.sh or OpenClaw cron management.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises extensive shell-scripted behavior such as install, enable, cleanup, backup, restore, and cron management, but does not declare corresponding permissions or capabilities up front. This weakens user consent and review because operators may install a skill expecting passive memory tooling while it can modify files, schedules, and local state through shell execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior goes well beyond simple 'memory compression' and includes installation, local configuration changes, cron job creation/removal, backups of other directories, and retention-based deletion. That mismatch is dangerous because users may authorize the skill under a narrower mental model, leading to unintended persistence, data modification, or data loss.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The documentation states 'Network: Local only' while also advertising email alerts and Telegram notifications, which imply outbound network communication. Inconsistent security disclosures can mislead users and reviewers about exfiltration risk, especially for a skill that processes memory and search data that may contain sensitive content.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The enable script establishes persistent automation by creating an OpenClaw cron job that runs every 6 hours and triggers an agent action. This expands the skill from an on-demand utility into autonomous execution with ongoing access to the environment, which increases risk if the compression script or its dependencies are later modified, misconfigured, or abused.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The installer automatically creates a recurring OpenClaw cron job that executes future commands in an isolated session, establishing persistence without explicit opt-in during installation. While scheduled compression is aligned with the skill’s theme, silently registering background automation expands the skill’s operational scope and can surprise users or be abused if the invoked scripts are later modified.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The installer reaches beyond its own skill directory to back up other skills and export platform cron state, which exceeds least-privilege expectations for a memory/compression installer. Even if framed as migration/backup behavior, touching unrelated components increases access to potentially sensitive data and broadens blast radius if the script is misused or altered.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script executes `source "$CONFIG_FILE"`, which causes any shell code present in the configuration file to run with the privileges of whoever invokes the status command. Because this is a read-only/status utility, code execution from configuration is unnecessary and significantly expands the attack surface if the config file is modified, replaced, or comes from an untrusted install/update path.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The README advertises automatic compression and cleanup of memory files, including retention-based deletion, but does not clearly foreground that enabling the skill will modify and potentially remove stored data on a schedule. In a memory-management skill, this is especially risky because users may assume safe optimization while automated jobs alter persistent context, leading to unintended data loss or corruption if misconfigured or misunderstood.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The quick-start flow tells users to run install and enable scripts immediately, while later sections indicate the system performs scheduled compression and cleanup automatically. Without an upfront warning that enabling the skill starts recurring data-changing operations, users can activate automation on live memory stores without informed consent, increasing the chance of unexpected modification or deletion of important context.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The skill is described in broad, always-on terms such as integrated management, automation, and scheduling without clear invocation boundaries or a concise statement of when destructive or persistent actions occur. In an agent ecosystem, vague activation semantics increase the chance the skill is invoked in contexts where the user did not intend file modifications, cleanup, or scheduled execution.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill prominently documents automatic cleanup, retention enforcement, and file removal but does not provide an upfront warning that data, backups, and logs may be deleted automatically. For a memory-management tool handling potentially important context, silent retention-based deletion can cause irreversible loss of operational or forensic data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script silently edits the configuration file to enable features without prompting, backup, or validation. While not directly code execution, unannounced state changes can surprise operators, weaken change control, and make it easier for a skill to alter host behavior beyond what the user expected.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script creates a recurring scheduled job without prior confirmation or a prominent persistence warning. In the context of an agent skill, unattended recurring execution is more dangerous because it can repeatedly invoke agent capabilities and continue operating after the initial install, reducing user awareness and control.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script enables recurring background execution with no explicit warning or consent flow, so a user running install may unknowingly authorize ongoing automated actions. In agent environments, silent persistence is especially risky because future executions may process workspace data repeatedly and continue after the user assumes setup is complete.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal