ClawHub

ACC Error Memory

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it needs review because it reads and stores conversation transcripts and can send excerpts to configured model commands.

Install only if you are comfortable with this skill reading OpenClaw session transcripts and creating persistent memory from them. Prefer local or explicitly trusted ACC_MODELS commands, avoid enabling recurring analysis for sensitive work, and periodically inspect or delete the workspace memory files it creates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no explicit permissions while its documented behavior clearly uses environment variables, shell commands, and persistent file reads/writes. This creates a transparency and trust problem: operators and policy layers may underestimate what the skill can access or persist, making review and containment harder.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script samples prior conversations and sends assistant/user text to externally configured LLM CLI commands via ACC_MODELS. That creates a real data-exfiltration boundary because potentially sensitive workspace conversation content is disclosed to third-party model providers or arbitrary local commands without validation, minimization beyond truncation, or trust restrictions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script expands a local error-tracking function into outbound calls to external LLM CLIs, which materially changes the trust boundary and data-handling behavior. Even if intended for better classification, this can send conversation content to third-party tooling or services and introduces nondeterministic external execution not obvious from the skill description.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
ACC_MODELS allows arbitrary command prefixes from the environment, and the script executes them with subprocess.run on untrusted conversation-derived input appended as an argument. Although shell metacharacter injection is avoided by passing a list, this still permits arbitrary program execution if an attacker can influence the environment, making the skill much broader and riskier than its stated purpose.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly describes extracting user+assistant exchanges from transcripts and logging error patterns, but provides no warning, consent guidance, retention details, or privacy boundaries. In a memory/telemetry-style skill, transcript-derived logs can contain sensitive personal, business, or credential-adjacent information, so omission of data-handling disclosures creates a real privacy and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill describes storing conversation-derived user and assistant exchanges for later analysis but provides no explicit privacy notice, retention warning, or data-handling limits. Persisting natural-language transcripts can capture secrets, personal data, and sensitive business context that may later be reprocessed or exposed.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script enumerates recent transcript files from the user's session directory and prints them to stdout without any notice, consent check, or minimization. Because this runs from cron, the output may be captured in logs or visible to operators, creating an unnecessary exposure of sensitive conversation metadata and normalizing automated access to private transcripts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Raw conversation content is embedded directly into the prompt and transmitted to external model commands, but the script contains no notice, consent flow, or policy guard around that disclosure. In a memory/error-tracking skill, sampled exchanges are especially likely to include sensitive user corrections, operational details, or proprietary context, making silent export materially risky.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script forwards assistant and user conversation text into external model CLI calls without any explicit notice, consent flow, or redaction step. In an error-memory skill, these exchanges may contain sensitive prompts, personal data, secrets, or internal context, so silent export increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script extracts assistant and user transcript text from session logs and writes those contents into a workspace JSON file for later analysis, but there is no user-facing notice, consent gate, minimization beyond truncation, or access control visible in this script. Because transcripts can contain sensitive prompts, secrets, personal data, or proprietary information, silently copying them into a secondary persistence location increases privacy and data-retention risk and broadens exposure if the workspace is accessed by other tools or users.

Ssd 3

Medium
Confidence
94% confidence
Finding
The core design explicitly tracks and persists error-related conversation patterns across sessions, which necessarily retains user-provided and assistant-generated content over time. Even if intended for quality improvement, this creates cross-session data retention and leakage risk, especially when prior conversation details can influence future sessions.

Ssd 3

Medium
Confidence
96% confidence
Finding
The preprocessing pipeline is documented to extract user and assistant transcript content into a pending analysis file, creating a new persisted dataset of conversational material. That intermediate file can become a leakage point, broaden access to sensitive content, and increase retention beyond the original transcript source.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal