ClawHub

OpenCortex

Security checks across malware telemetry and agentic risk

Overview

OpenCortex is a coherent memory framework, but its autonomous background jobs, broad long-term memory capture, optional system crontab changes, and credential vault behavior warrant manual review before install.

Install only if you want an agent to maintain durable workspace memory and run scheduled maintenance jobs. Review the cron entries after install, decline optional git backup/metrics/voice/infrastructure features unless needed, prefer a system keyring for the vault, and test in a disposable workspace before using it with sensitive projects.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (29)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The instructions expand a memory-distillation task into host-level cron inspection by directing the agent to compare documented jobs against actual scheduler state. Even though the command shown is read-oriented, it accesses broader system operational metadata that is outside the minimum scope needed for straightforward memory maintenance, increasing unnecessary exposure of host state.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The dedicated Cron Health section instructs the agent to inspect host scheduling configuration and reason about timing collisions, which is an operational administration function rather than memory organization. This broadens the skill's reach into persistent system state and can reveal or normalize access to unrelated scheduled tasks on the machine.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The installer writes directly to the user's global crontab for git backup and metrics collection, which contradicts the stated 'isolated cron sessions scoped to workspace only' safety claims. Persistent scheduled execution changes host-level behavior beyond the workspace and can surprise users, especially if they expected only OpenClaw-managed isolated jobs.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The script documents safe non-interactive behavior in ask_yn, but several later prompts for timezone, model, and secret mode still call read unconditionally. In automation or package-manager contexts this can hang installation, consume unexpected stdin, or produce unintended configuration from piped input.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script claims to be workspace-scoped and non-destructive, but the metrics feature modifies the user's global crontab and executes a collection job immediately. That creates persistence outside the workspace boundary and can surprise users who expect only local file changes. The risk is primarily unauthorized persistence and unintended background execution, not direct code execution beyond what the script already does.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The header states the updater never overwrites customized files, but helper scripts and reference docs are replaced whenever checksums differ. This mismatch can silently destroy local modifications or trusted custom hardening, which is especially risky in an update script users run with high trust. The issue is deceptive and safety-relevant even if not overtly malicious.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This script adds a general-purpose encrypted secret store to a skill whose stated purpose is memory organization and distillation, expanding the skill's privilege and data-handling scope beyond what users would reasonably expect. Even if implemented for convenience, introducing secret storage increases the chance that sensitive credentials are collected, persisted, or mishandled in a context that was not clearly justified or separately consented to.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code implements passphrase discovery, storage, and retrieval across multiple backends including OS keyrings, environment variables, and local files. That creates a new credential-management surface inside an agent skill, which is sensitive by nature and can lead to unauthorized persistence or access to secrets if the surrounding trust model, access controls, and user expectations are not explicit.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The comments say file-based passphrase storage is allowed only when explicitly enabled, but backend detection will automatically use an existing .vault/.passphrase file if present. That inconsistency can silently weaken security by re-accepting a less secure storage mode without renewed user intent or warning.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script searches for memory database files under $HOME/.openclaw, which reaches outside the declared workspace scope and inspects global user state. Even though this is only a read-only verification check, it can disclose the existence, size, and paths of unrelated OpenClaw data from other projects, weakening isolation guarantees and potentially exposing sensitive operational metadata.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases include broad, common language such as "organize yourself" and "stop forgetting," which could activate the skill in situations where the user did not intend persistent memory setup. Because this skill creates files, schedules cron jobs, and may enable long-term data retention, accidental invocation increases privacy and integrity risk.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The document specifies automatic preference capture from broad natural-language phrases like "I prefer," "always do," and "I don't like," which can easily match casual, hypothetical, or context-specific statements. In a self-improving memory system, misclassifying transient conversation as persistent preference can poison long-term memory, causing the agent to store inaccurate user profiles and behave incorrectly across future sessions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
These instructions authorize extensive writes, updates, moves, and archival actions across many memory files without an explicit warning or confirmation step before data-changing behavior. In practice, an agent following them could silently alter or relocate user records, preferences, contacts, workflows, and project notes in ways that are hard for the user to review before the changes occur.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow mixes file mutations with operational checks of cron state but does not clearly warn the user that system-level inspection will occur. This creates a consent and transparency issue because the skill's apparent purpose is memory organization, while the actual behavior reaches into scheduler state and updates records based on those results.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to create lockfiles, write summaries, append debriefs, create runbooks, move misplaced content, and reorganize multiple memory files without any explicit user confirmation or dry-run step. In a memory-management skill this behavior is functionally intended, but it still creates a real integrity risk because broad autonomous file mutation can overwrite, relocate, or entrench incorrect information across the workspace.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The installer copies vault.sh into the workspace and executes its init routine automatically when secure mode is selected, without showing the script contents or obtaining a dedicated execution confirmation. Running bundled code during install increases risk because users may not realize additional logic is being executed beyond file creation.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
When metrics are enabled, the installer adds a persistent system crontab entry without a dedicated warning that a host-level scheduled task will be installed. Users may interpret 'enable metrics tracking' as an in-app feature rather than a modification to their shell account's crontab.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
In non-interactive mode, ask_yn automatically accepts default yes answers, so many filesystem changes proceed without a contemporaneous confirmation. That is dangerous for automation pipelines because a caller may invoke the script expecting inspection-only behavior but instead gets persistent modifications. The risk is amplified by the script's broad write surface across workspace files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script deletes duplicate cron jobs automatically during verification, and this path does not ask for confirmation. Removing scheduled jobs can break legitimate user configurations, especially if the matching logic is name-based and multiple jobs were intentionally present. Because cron state is persistent, accidental deletion has lasting operational impact.

Ssd 3

Medium
Confidence
91% confidence
Finding
The skill describes persistent summarization of daily work, contacts, preferences, infrastructure details, and even optional voice profiles into long-term memory files. This creates a substantial privacy and data-minimization risk because sensitive conversation content can be retained beyond the immediate task and later surfaced, backed up, or processed by scheduled jobs.

Ssd 3

Medium
Confidence
90% confidence
Finding
Automatic creation of contact and preference records from conversations means the system may infer and store personal data without a deliberate approval step for each subject. In the context of a memory architecture with recurring distillation and backup features, that persistence materially increases privacy exposure.

Ssd 3

Medium
Confidence
95% confidence
Finding
The instructions direct persistent collection of broad personal and behavioral data, including contacts, communication preferences, user info, and communication style. Even if intended for personalization, this creates a substantial privacy risk because sensitive personal context can accumulate over time without strong minimization, retention limits, or explicit consent controls in the workflow itself.

Ssd 3

Medium
Confidence
97% confidence
Finding
The Voice Profile section explicitly instructs the agent to harvest vocabulary, phrasing, reactions, and tone patterns from conversations into a persistent profile. This is sensitive behavioral profiling, and persistence of such inferences can meaningfully increase privacy risk and the chance of misuse beyond the user's immediate task.

Ssd 3

Medium
Confidence
93% confidence
Finding
The installed agent instructions require writing user preferences, decisions, deadlines, and corrections to persistent memory files before replying. That creates broad default retention of natural-language user data, including potentially sensitive personal or operational details, without any data minimization or consent boundary.

Ssd 3

Medium
Confidence
94% confidence
Finding
The memory principles encourage systematic capture of decisions and preferences and require scanning conversations for uncaptured details. This normalizes broad collection and persistence of user-provided information, increasing privacy risk and the chance that secrets or sensitive context are stored in plaintext files.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal