ClawHub

Structured Vector Memory (SVM)

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed memory-automation skill, but it can repeatedly review conversations and change persistent agent memory without clear per-action approval.

Install only if you intentionally want ongoing automatic memory maintenance over your OpenClaw conversations. Before enabling cron or autoCapture/autoRecall, review what sessions may be summarized, audit the separate memory-lancedb-pro and Jina data handling, and require manual review for changes to MEMORY.md, SYSTEM_GUIDE.md, archived memories, or vector-memory deletions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill advertises many broad natural-language trigger phrases such as '记忆系统', 'memory system', and '记忆管理', which could be matched during ordinary discussion rather than an explicit request to run the skill. Because this skill performs persistent memory operations and maintenance actions, accidental activation could cause unintended storage, consolidation, or retrieval of sensitive context.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manual trigger condition for daily memory handling is underspecified: the instruction says to run when the user says '整理记忆' without defining authorization, scope, or confirmation boundaries. In a memory-management skill, vague activation is risky because an incidental phrase could trigger durable recording or summarization of session content.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The memory distillation workflow can be manually triggered by vague phrases like '蒸馏记忆' or '压缩上下文' even though the operation includes editing, archiving, and cleaning persistent memory. Since distillation can remove or rewrite important context, accidental or socially engineered activation could degrade memory integrity or erase useful safeguards.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script silently appends operational instructions into a shared HEARTBEAT.md file that is intended to trigger downstream agent behavior, including reviewing prior conversations and creating summary/memory artifacts. This creates an implicit automation channel without user confirmation, audit controls, or validation of what agent will do with the injected task, which can lead to unauthorized data processing or persistence of sensitive conversation content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script unconditionally appends operational tasks into a user-controlled workspace file (HEARTBEAT.md) without notice, consent, locking, or validation that the target is the expected file. In a memory-management skill, silently modifying workspace state is security-relevant because it can create persistence, alter agent behavior, and be abused if the path is redirected via symlink or prior filesystem manipulation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal