ClawHub

The first official Unibase Membase skill: decentralized persistent memory, purpose-built for OpenClaw Bot.

Security checks across malware telemetry and agentic risk

Overview

This memory backup skill is purpose-aligned, but it can expose secrets and restore remote data into local agent memory without enough safeguards.

Review before installing. Avoid running the documented echo commands for secrets, avoid passing passwords directly in visible shell commands, run status only with JSON disabled or after secret redaction is fixed, and do not restore unless you have verified the backup ID/source and preserved the current workspace. Request a complete package that includes the lib implementation before trusting the encryption, upload, download, and restore behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation criteria are broad enough to trigger on generic requests like 'backup my workspace' or mentions of 'backup memories,' which can cause the agent to invoke this skill outside a clearly consented Membase-specific workflow. In a memory-management skill, unintended activation is risky because it may initiate backup, listing, or restore flows involving sensitive user data and credentials.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The restore instructions tell the agent to run a restore directly into the local workspace and present a success message, but they omit any warning that local files may be overwritten or modified. In a memory/workspace context this is dangerous because a user could unintentionally lose current state, merge in stale or attacker-controlled content, or corrupt the agent's working memory without informed consent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The restore command performs a destructive filesystem operation into the configured workspace immediately after download, but it provides no confirmation prompt, dry-run mode, or overwrite warning. If a user specifies the wrong backup ID or the backup contents differ from the current workspace, important local state can be silently overwritten or replaced, causing data loss or corruption.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The status command emits machine-readable JSON containing the full config object by default, which can expose sensitive operational details and potentially secrets if the config structure includes credentials or other private values. In agent ecosystems, this output is especially risky because other tools, logs, telemetry pipelines, or LLM consumers may automatically capture and forward stdout without the user realizing sensitive data was disclosed.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal