ClawHub

Shared Memory for Multi-Agent OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This skill has a clear shared-memory purpose, but it automatically changes multiple agent workspaces and creates ongoing cross-agent storage of user context without enough review controls.

Install only if you intentionally want durable memory shared across multiple agents. Before running setup, ask the agent to show all target paths and AGENTS.md changes, get explicit confirmation before edits, avoid storing secrets or sensitive personal details, and keep a way to inspect, edit, or delete the shared-knowledge directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill's activation language is overly broad and can trigger on ordinary discussion of multi-agent setups or user frustration about repetition, causing the agent to enter a workflow that creates files, edits AGENTS.md, and establishes shared state without sufficiently specific intent. In this context, broad triggering increases the chance of unintended persistence and cross-workspace data sharing, making the skill more dangerous than a purely informational setup guide.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs the agent to automatically create directories, symlinks, and modify AGENTS.md files across workspaces without an explicit warning or consent checkpoint. That behavior can change system state, alter future agent behavior, and expand data-sharing boundaries in ways the user may not fully understand, especially because symlinks and config edits affect multiple workspaces persistently.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill is explicitly designed to persist and share user information, conversation summaries, and long-term memory across multiple workspaces, which materially increases the data exposure surface. Even if framed as convenience, automatic cross-agent sharing can spread sensitive personal, project, or organizational information beyond the originally intended workspace and normalize ongoing retention without granular consent.

Ssd 3

Medium
Confidence
94% confidence
Finding
Initializing shared memory with known user basic information and work context causes immediate propagation of potentially sensitive data into a shared repository before the user has necessarily reviewed the contents. In this skill context, that is especially risky because the information is intended for repeated access by multiple agents and may persist indefinitely.

Ssd 3

Medium
Confidence
96% confidence
Finding
Requiring every session to read and update shared files with conversation content and decisions establishes continuous, default surveillance-like persistence of user interactions. This creates a durable cross-agent transcript pipeline that can unintentionally capture sensitive data, increase insider exposure between workspaces, and make future misuse or over-collection more likely.

Ssd 3

Medium
Confidence
96% confidence
Finding
The ongoing protocol directs agents to read all other agents' sync files and update shared memory with user info, preferences, decisions, and summaries, effectively broadening access to a consolidated profile across all connected workspaces. As the number of agents grows, this creates a compounding privacy and confidentiality risk, since each additional workspace gains visibility into a larger pool of retained user data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal