ClawHub

Soul Memory

Security checks across malware telemetry and agentic risk

Overview

This is a real long-term memory skill, but it installs broad persistent automation and exposes sensitive local conversation memory with weak safeguards.

Install only if you intentionally want an always-on local memory system that can read OpenClaw session logs, store conversation content, inject memories into future prompts, and modify OpenClaw/plugin/cron configuration. Review and patch the plugin shell execution before enabling it, keep the web UI bound to localhost with authentication, avoid storing secrets, and back up memory/workspace files before using cleanup or rollback features.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (65)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The manifest advertises no declared permissions while describing installation scripts, plugin hooks, local file manipulation, shell execution, and network-linked components. This creates a transparency and consent problem: users may install a skill believing it is low-privilege when it can read/write local state, modify OpenClaw configuration, and execute commands.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The top-level description frames the skill as a narrow heartbeat-trigger fix, but the document describes a much broader system: persistent memory storage, automatic context injection, auto-save, plugin integration, install/uninstall scripts, and web/dashboard features. This mismatch can mislead reviewers and users about the true attack surface, causing them to approve or install a far more invasive capability set than expected.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file’s behavior materially differs from the stated skill purpose: instead of implementing incremental heartbeat retrieval, it enumerates all markdown files in the memory store and removes content matching broad Heartbeat-related regexes. In a memory-management skill, silent bulk deletion of historical context can cause integrity loss, make later reasoning incomplete, and hide operational history; the hardcoded path under /root also increases the blast radius if deployed with elevated privileges.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code automatically commits memory data into version control, creating an additional persistence and propagation channel for user-derived content. This is dangerous because sensitive conversation data may become part of repository history, making deletion harder and increasing exposure through sync, backup, or sharing workflows.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The installer adds persistent cron-based automation and generates an additional daily archival script, which materially exceeds the metadata's narrowly stated heartbeat-window repair purpose. This is dangerous because users expecting a small bugfix instead receive ongoing background behavior that changes data retention and execution patterns on the host.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The installer creates an OpenClaw plugin that hooks before every prompt build and injects memory results, a significant capability not reflected in the manifest description of a heartbeat-window fix. This expands the attack and privacy surface by persistently intercepting user prompts and altering model context on every response.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script rewrites HEARTBEAT.md and later modifies shell startup files, introducing persistent behavioral and environment changes beyond the stated repair intent. Such undisclosed changes can alter agent behavior and user environments long after installation, making the skill more invasive than advertised.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The generated plugin uses a prompt-building hook to execute a shell command for every response, passing derived user message content into a subprocess invocation. Even though it targets a local Python CLI, this creates a recurring command-execution path coupled to untrusted prompt data and is far broader than the described heartbeat fix.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
`force_merge()` acquires `self.lock` and then calls `_merge_segments()`, which attempts to acquire the same lock again. Because the lock is a `threading.RLock`, this is not a deadlock in the current implementation, so the static finding's wording is inaccurate; however, there is still a real reliability issue because `force_merge()` performs the merge synchronously while holding the lock and can block other operations for the duration of the full index write. In a memory/indexing skill, this can degrade availability and stall concurrent indexing or search requests.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
This module can initialize repositories, stage files broadly with git add ., and create commits, which is materially broader than the skill description about heartbeat/context-window memory retrieval. In an agent skill, that extra capability increases risk because a caller could persist unintended workspace contents or alter repository state without clear scope restrictions.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
rollback() executes git reset --hard on a caller-supplied commit hash, which can irreversibly discard uncommitted changes and rewrite the working tree. Because this destructive capability is not reflected in the skill description, it is especially concerning in an agent context where hidden state-changing operations may be invoked unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The plugin constructs a shell command with user-derived query text and executes it via child_process.exec, which invokes a shell. Escaping only double quotes is insufficient because shell metacharacters inside double-quoted strings can still trigger command substitution, creating a command-injection path from conversation content to local code execution.

Description-Behavior Mismatch

Medium
Confidence
78% confidence
Finding
The manifest/description says this skill repairs heartbeat-trigger incremental-window behavior, but the code actually hooks before_prompt_build, searches memory for every user query, classifies content, and injects results into prompts. This capability mismatch undermines review and user/operator expectations, which is a security problem because hidden prompt-time data access can bypass intended trust boundaries.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill exposes Cantonese analysis, suggestion, and learning endpoints that are unrelated to the stated heartbeat-based memory management purpose. This kind of scope expansion increases attack surface and introduces undocumented data-processing behavior, especially because one endpoint persists new patterns, creating an unjustified capability that could be abused for unauthorized retention or behavior shaping.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The file implements a broad web dashboard and backend API surface that goes well beyond the manifest description of heartbeat-trigger memory management fixes. Even if individual endpoints are not directly exploitable, undocumented service functionality is a security concern because operators and reviewers cannot accurately assess exposure, and attackers benefit from unexpected interfaces.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The unauthenticated learning endpoint accepts arbitrary user input and feeds it into persistent Cantonese pattern learning, despite having no clear relation to the skill’s declared purpose. An attacker could poison stored language patterns, cause retention of untrusted content, or manipulate downstream behavior without any access control or approval step.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file behavior materially diverges from the stated skill purpose: instead of heartbeat/memory-window logic, it installs web dependencies and starts a FastAPI server. In an agent-skill context, undocumented network services and hidden capability expansion increase attack surface and can enable unintended data exposure or remote interaction.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This script performs runtime package installation and binds a web server to 0.0.0.0:8000, making it network-accessible on all interfaces. For a skill described as heartbeat-memory management, that is an unjustified privileged behavior that increases exposure to supply-chain risk, accidental service exposure, and potential unauthorized access to any data handled by the UI.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The manual-save trigger phrases are broad enough to match ordinary conversation, which can cause users to unintentionally persist sensitive content. In a memory-management skill that writes to local stores, ambiguous natural-language triggers materially increase the risk of over-collection and retention of personal or confidential data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill describes automatic persistence to JSON indexes and daily markdown files without a clear user-facing warning or consent mechanism. Silent or poorly disclosed storage of conversation content is dangerous because users may reveal sensitive information without understanding it will be retained locally and potentially surfaced later.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The installation guide instructs users to run a cleanup script and rely on an automated cron job that deletes stored entries, but it does not prominently warn that data will be modified or removed or recommend a backup/review step first. In a memory-management skill, undocumented or underemphasized deletion behavior increases the risk of accidental loss of user data or important operational context, especially when automation is involved.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The release notes describe automatic context injection triggered by a keyword such as `QST` without defining strict matching rules, scope limits, or safety boundaries. In a memory-management skill, broad trigger conditions can cause unintended retrieval and injection of stored content into future interactions, increasing the risk of prompt-context contamination, privacy leakage, and unpredictable agent behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The notes advertise automatic archiving and context injection affecting user-provided content, but they do not warn users that data may be persistently stored and later reused. In a memory system, lack of transparency about retention and reuse can lead users to disclose sensitive information under false assumptions, creating privacy and consent risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The usage example instructs users to store content via `soul"標籤名"` but does not warn that the text will become part of persistent memory and may be automatically injected into future conversations. This omission is especially risky because users are being given an easy archival syntax that could encourage storing sensitive material without understanding downstream exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes pre-response search, post-response auto-save, and automatic memory handling, but it does not provide a clear user-facing warning about ongoing collection and reuse of conversation content. In a memory tool, this is especially sensitive because prompts may contain secrets, personal data, or proprietary information that will be persisted and later re-injected into future contexts.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal