ClawHub

Reflexlearn

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built to learn from user prompts, but it automatically stores raw prompts and can modify long-term agent behavior in ways that are not consistently disclosed.

Review this before installing if your prompts may contain secrets, personal data, or sensitive work. Use cautious mode, inspect and prune ~/.openclaw/reflex_history.json and MEMORY.md regularly, avoid --use-ollama unless you trust the local service, and be aware that heartbeat reinforcement can write directly to SOUL.md despite the cautious-mode wording.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no permissions even though its documented behavior clearly includes reading and writing local files and performing network access during installation and potentially via optional local HTTP calls. This creates a transparency and policy-enforcement gap: users or orchestration systems cannot accurately reason about the skill's capabilities, increasing the chance of unintended file modification or network exposure.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The README presents conflicting safety semantics: it says cautious mode stages SOUL.md updates for review, but elsewhere indicates positive reinforcement writes directly to SOUL.md. For a skill that persistently modifies long-term behavior files, ambiguous documentation can cause operators to enable or trust automation under false assumptions, leading to unintended persistent state changes.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
When --use-ollama is enabled, the skill sends original and repeated user queries to a local HTTP service without sanitization or explicit consent at the point of transmission. Even though the target is localhost, this still expands the trust boundary to another process that may log, retain, or mishandle sensitive prompts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README describes continuous logging of user queries, repeats, and inferred satisfaction signals into persistent files without a clear privacy notice, consent model, or data minimization guidance. In an agent skill context, this can silently retain sensitive prompts, preferences, and behavioral metadata across sessions, increasing privacy and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Aggressive mode is documented as writing directly to SOUL.md, a persistent behavior-shaping file, without a prominent warning about automated modification of long-term agent state. This creates a risk of silent drift, prompt poisoning persistence, or unsafe learned behaviors being embedded without operator review.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill persists full user queries and embeddings to disk in history and memory artifacts without filtering or consent checks, which can capture secrets, personal data, or sensitive business content. Because this skill is triggered automatically post-response/heartbeat, users may not realize their prompts are being stored long-term.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The Ollama request includes raw user query content in the prompt body and sends it to another service without an explicit disclosure workflow. Localhost does not eliminate privacy risk because another local service may log requests, persist data, or be replaced by an unintended listener.

Ssd 3

Medium
Confidence
93% confidence
Finding
The documentation explicitly describes durable storage of user queries and inferred preferences in MEMORY/history files. Storing user-provided content and derived attributes verbatim can preserve secrets, personal data, or sensitive work context beyond the original interaction, making later exposure or misuse more likely.

Ssd 3

Medium
Confidence
92% confidence
Finding
The examples encourage writing repeated user queries and assessments of answer quality directly into persistent memory files. In practice, example-driven implementation often becomes normative behavior, which can normalize verbatim retention of potentially sensitive prompts and create a durable record of user activity.

Ssd 3

Medium
Confidence
90% confidence
Finding
The preference extraction example directs the system to derive and persist user preferences from inputs. Persisting inferred preferences can create a behavioral profile of the user, and because it is durable, future sessions may be influenced by sensitive or stale inferences that the user never explicitly consented to store.

Ssd 3

Medium
Confidence
93% confidence
Finding
The configuration and mode descriptions encourage automatic writes of learned patterns into long-term memory files based solely on observed user behavior. In an agent skill, this creates a pathway for unintended persistence of adversarial, mistaken, or privacy-sensitive patterns that can influence future outputs.

Ssd 3

High
Confidence
97% confidence
Finding
This code creates a durable local corpus of raw user prompts and semantic embeddings, which is a clear data retention and leakage risk if the files are accessed by other local processes, users, backups, or later surfaced by the agent. In a learning skill whose purpose is to write to MEMORY.md/SOUL.md, this context makes the risk more serious because retention is a core behavior rather than an incidental log.

Ssd 3

High
Confidence
96% confidence
Finding
Reflection and preference extraction copy user-provided text directly into MEMORY.md, pending files, and sometimes SOUL.md, turning transient prompts into long-term instruction-like artifacts. That can leak sensitive content and also cause untrusted user text to influence future agent behavior through persistent memory.

Unpinned Dependencies

Low
Category
Supply Chain
Content
sentence-transformers>=2.2.2
numpy>=1.24.0
huggingface-hub>=0.14.0
Confidence
95% confidence
Finding
sentence-transformers>=2.2.2

Unpinned Dependencies

Low
Category
Supply Chain
Content
sentence-transformers>=2.2.2
numpy>=1.24.0
huggingface-hub>=0.14.0
Confidence
98% confidence
Finding
numpy>=1.24.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
sentence-transformers>=2.2.2
numpy>=1.24.0
huggingface-hub>=0.14.0
Confidence
94% confidence
Finding
huggingface-hub>=0.14.0

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
83% confidence
Finding
numpy

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal