ClawHub

Openclaw Cc Contrib

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local memory-management suite, but it can automatically store conversation details and later rewrite or delete memory files without strong review controls.

Install only if you want OpenClaw to keep durable local memories from your conversations. Avoid enabling automatic extraction or the dream-rem cron until you are comfortable with background reads, writes, and pruning; keep secrets, credentials, private journal details, and sensitive project data out of conversations that may be summarized; review memory/topics and MEMORY.md regularly and keep backups before consolidation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The skill's declared purpose in the surrounding context is post-conversation memory extraction, but this file implements a much broader autonomous maintenance workflow that scans, rewrites, and deletes memory artifacts across the workspace. That scope mismatch is dangerous because users or orchestrators may grant or trigger it under a narrower trust assumption, enabling unintended destructive changes to persistent memory files.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The skill instructs operators to install a cron job that autonomously executes periodic memory consolidation, including file modification and deletion, even though the parent skill context is not an unattended maintenance capability. Autonomous scheduled execution increases risk because it can perform broad state changes without contemporaneous user review, making mistakes or abusive behavior harder to catch before data is altered.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The provided skill file does not match the declared skill metadata: the manifest says this is a memory-extraction skill, but the file implements a code-review/simplification workflow. This mismatch can cause the wrong capability to be invoked under trusted triggers, confusing users and any policy layer that relies on metadata to decide what the skill is allowed to do.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file content is a prompt template for code simplification review, but the skill metadata claims the skill extracts conversation memories after a dialogue ends. This mismatch is dangerous because a user or orchestrator invoking the memory-extraction skill could instead trigger unrelated repository inspection behavior such as running git diff and reviewing changed files, causing unintended data access and violating least-privilege expectations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README describes automatic extraction of conversation-derived memories and writing them to persistent memory files, but it does not clearly state that user-provided information will be stored or require explicit consent before doing so. This creates a privacy and safety risk because sensitive user data may be retained automatically without adequate notice or review.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that dream-rem may delete outdated content and rewrite MEMORY.md, but it does not prominently warn users about destructive modifications to stored files or recommend safeguards. Even if intended for maintenance, automatic deletion and index rewriting can cause loss of important information or corruption of the memory store if triggered incorrectly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow explicitly includes deleting outdated content and rewriting MEMORY.md, yet it does not provide a prominent user-facing warning about irreversible data loss or require confirmation before destructive actions. In a memory-management context, silent deletion is particularly risky because users may treat stored notes as authoritative history and may not notice that conflicting or older information was removed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The cron-triggered mode combines unattended execution with file writes, rewrites, and deletions, but there is no explicit warning that modifications may occur automatically in the background. This is more dangerous than a manual destructive workflow because users may be unaware that persistent memory state can change or be pruned without direct invocation at the time of change.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill auto-triggers on common conversation-ending phrases and on heartbeat timing, which can cause persistence actions during ordinary chat closure without a clear, fresh user request. Because the action writes extracted session content into long-lived memory files, an overly broad trigger meaningfully increases the chance of unintended retention.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that it will persist conversation-derived information into `memory/topics/` and update `MEMORY.md`, but it does not require clear notice or consent at the point of collection. Users may reasonably believe they are ending a conversation, not authorizing durable storage of preferences, constraints, or references extracted from that session.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs scanning daily journals as part of routine processing and later permits modifying daily files, but it does not prominently warn the user that potentially sensitive journal content may be read and altered. Because daily notes often contain private or high-sensitivity information, this creates a consent and privacy risk beyond ordinary memory-file maintenance.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The permissions section advertises write access to MEMORY.md, topics/, and daily files, but it does not clearly communicate the consequences of those modifications or the possibility of destructive changes. A user may invoke the skill expecting organization assistance without understanding that it can rewrite or delete memory-related content, including journal files.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The auto-trigger text says the skill may run automatically after code submission, but the condition is vague and not bounded by clear scope, consent, or filtering criteria. Ambiguous automatic invocation can cause unintended execution on sensitive repositories or conversations, leading to surprise data access, unnecessary analysis, or workflow interference.

Ssd 3

Medium
Confidence
91% confidence
Finding
The skill explicitly retains and organizes user roles, preferences, corrections, and project constraints in natural-language memory files. This creates a real data retention risk because sensitive or identifying information may persist across sessions and be exposed to later prompts, other tools, or unauthorized file access.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill explicitly persists extracted information from each conversation into a memory directory for future sessions. This creates a real data retention risk because user and project details may be stored without clear minimization, consent, retention limits, or sensitivity filtering, increasing the chance of privacy leakage across sessions or via file access.

Ssd 3

Medium
Confidence
97% confidence
Finding
The extraction criteria cover broad categories such as decisions, preferences, project conventions, and technical solutions, which can easily include sensitive business context, internal endpoints, operational details, or personal profile information. Because the categories are open-ended and intended for persistence, the skill materially increases the likelihood of storing confidential or unnecessary data long-term.

Ssd 4

Medium
Confidence
96% confidence
Finding
The workflow reads the full conversation, extracts notable details, saves them persistently, and only emits a brief notification afterward. This is dangerous because it normalizes silent background collection of potentially sensitive context, reducing user awareness and making over-collection or cross-session leakage more likely in exactly the setting where the skill is designed to operate automatically.

Ssd 3

Medium
Confidence
94% confidence
Finding
Persisting broadly collected conversation details to memory files creates a data-retention risk, especially when the scope includes durable notes about users, projects, and system references. Even if intended as a productivity feature, storing account, tool, URL, or path references can expose sensitive operational context beyond the original conversation.

Ssd 3

Medium
Confidence
96% confidence
Finding
This section directs whole-session scanning for user decisions, preferences, constraints, and external-system pointers, which is broader than necessary and increases the chance of retaining sensitive or contextually private information. Semantic extraction across the entire session can capture data the user never intended to save, including identifying habits, deadlines, and infrastructure references.

Ssd 3

Medium
Confidence
97% confidence
Finding
Automatic end-of-conversation and heartbeat-triggered extraction is more dangerous than manual saving because it can persist data without a contemporaneous request. In combination with `sessions_history` access and file write permissions, this creates a meaningful privacy risk of silently retaining sensitive session content in durable storage.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal