ClawHub

Persistent Memory

Security checks across malware telemetry and agentic risk

Overview

This memory skill is not clearly malicious, but its one-command setup can automatically change user-level OpenClaw behavior and persistent memory indexing without enough control or rollback.

Install only if you want this skill to change OpenClaw memory behavior across future sessions. Before running unified_setup.sh, back up ~/.openclaw/openclaw.json, review the memorySearch extraPaths, and avoid indexing secrets, credentials, private identity files, or sensitive infrastructure details unless you are comfortable with agents retrieving them later.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly instructs users to run shell commands, create and modify files, and invoke Python scripts, yet it declares no permissions. This creates a transparency and consent problem: an agent or user may treat the skill as low-risk while it can read workspace files, write memory/index/config artifacts, and execute setup commands. In the context of a memory skill, some file and shell access is expected, but the absence of explicit permission declarations makes the capability set more dangerous because it obscures operational reach.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The advertised function is persistent memory, but the skill also changes OpenClaw configuration, broadens indexing to directive files, verifies active configuration, and may restart the gateway. Those side effects extend beyond a local memory store and alter agent-runtime behavior globally, which can affect compliance logic, privacy boundaries, and system stability. The mismatch is dangerous because users may approve a 'memory' skill without realizing it modifies home-directory or local agent configuration and changes what sensitive files become searchable.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The skill's stated purpose is persistent memory and recall, but this script modifies a separate agent platform's live configuration and restarts its gateway. That expands the capability from data storage into environment reconfiguration and service control, which is dangerous in an agent skill because it can silently alter system behavior and persistence across sessions.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The setup script for a 'persistent memory' skill goes beyond local memory initialization and explicitly instructs the user to configure OpenClaw so it will automatically search directive files such as SOUL.md and AGENTS.md. That expands the skill’s effective scope from storage/setup into behavioral-control integration, which can alter how agents consume high-priority instructions and create an unexpected trust boundary crossing for anyone running a seemingly simple setup script.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The setup script searches for and edits OpenClaw configuration files in the user's home directory, which changes behavior outside the local workspace boundary. This is dangerous because installing a workspace skill should not silently alter global agent behavior, and the added memorySearch paths can cause broader indexing of sensitive local files across future sessions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script modifies a user-level OpenClaw configuration file without any confirmation, preview, or backup step. Silent persistence changes are risky because they reduce user awareness and can enable ongoing collection/indexing behavior that affects later agent runs and potentially exposes unrelated workspace or home-directory content.

Ssd 3

Medium
Confidence
95% confidence
Finding
The function automatically injects the raw user query plus retrieved memory snippets and graph-derived context into prompt-ready output, which can surface sensitive historical data into model context and downstream responses. In a persistent-memory skill, this is more dangerous because the whole purpose is cross-session recall, so secrets, personal data, or prior sensitive instructions may be reintroduced without access control, redaction, or relevance gating beyond simple distance and keyword checks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal