ClawHub

ClawMem

Security checks across malware telemetry and agentic risk

Overview

ClawMem appears to be a real memory tool, but it automatically records and keeps detailed agent activity locally without enough user control or privacy safeguards.

Install only if you intentionally want persistent local agent memory. Before enabling it, decide which event types may be captured, avoid storing secrets or regulated data, add redaction and retention/deletion controls, and restrict who or what can query detailed historical memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (17)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly promotes 'silent' lifecycle monitoring and automatic interception of session, tool, and memory events without an accompanying user-facing consent, notice, or privacy warning. In a memory-management skill, this creates a real privacy and compliance risk because users and operators may not realize conversational data and tool inputs are being captured automatically.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The architecture section states that L2 stores full content, metadata, and embeddings, but the documentation does not clearly warn that detailed session content may be persisted to disk. This is dangerous because operators may enable the system assuming it only stores summaries, while in reality it can retain sensitive prompts, outputs, and tool data long-term.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly advertises automatic interception of session, tool, and memory events, but does not warn users that these events may contain sensitive prompts, tool arguments, tokens, or personal data that will be stored persistently. In a memory-management skill for an agent framework, silent lifecycle capture increases the risk of unintentional collection and later exposure of confidential data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The usage examples show storing full L2 details and retrieving detailed session data without any caution that secrets, PII, prompts, or tool outputs may be persisted and later surfaced. Because this skill is specifically designed to centralize and retrieve memory, examples that normalize full-content storage can lead integrators to save sensitive data by default.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly advertises automatic lifecycle monitoring, event interception, and memory storage, but the documentation provides no warning, consent flow, scope limits, or retention controls for captured data. In an agent environment, intercepted events may contain prompts, tool arguments, session identifiers, or other sensitive user/workspace data, so silent persistence creates a real privacy and data-governance risk even if the feature is intended for optimization rather than exfiltration.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The guide explicitly encourages retrieving complete session records and L2 details, which are likely to contain raw conversational content, tool outputs, and other potentially sensitive memory data, but provides no access-control, minimization, or redaction guidance. In a memory-management skill, normalizing broad session retrieval without privacy warnings increases the chance that downstream users or agents will expose secrets, personal data, or internal context unnecessarily.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The monitor stores lifecycle event data, including session identifiers and in some cases full payload contents, into persistent memory tiers without any visible consent, notice, or minimization control in this component. In an agent skill context, event payloads can contain prompts, tool arguments, memory contents, and other sensitive user or system data, so silent retention materially increases privacy and data-exposure risk.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The comments explicitly describe the monitor as fully automatic and non-transparent, which aligns with code that intercepts events and stores them in the background. In a memory-management skill integrated with an agent platform, hidden monitoring is especially risky because it can capture behavioral and content data without user awareness, undermining privacy expectations and making misuse harder to detect.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The L2 storage path writes full_content and metadata directly into persistent local storage with no consent flow, data classification, minimization, encryption, or retention controls visible in this module. In a memory system designed to capture conversational or operational context, this can persist secrets, personal data, or tokens, increasing the blast radius if the host is shared, compromised, or backed up insecurely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function logs raw user-supplied search keywords directly to console output, which can expose sensitive memory content, personal data, secrets, or investigative terms to logs that may be retained or viewed by operators. In a memory-management/search component, search inputs are especially sensitive because they often reflect exactly what a user is trying to retrieve from stored history.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Logging the entire advanced search query object is a stronger disclosure issue because it can include keywords, session IDs, tags, time ranges, event types, and other potentially sensitive metadata in one place. This broad logging increases the chance of privacy leakage and sensitive operational data exposure through application logs, especially in a system designed to store and retrieve memory records.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The module starts lifecycle monitoring immediately on import, which means passive observation of session or event data can begin before a user or operator has explicitly opted in. In a memory-management skill whose purpose is to capture and retrieve session context, this increases the chance of collecting sensitive interaction metadata without clear notice or consent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The demo code persists session and user-related data, including session IDs, user IDs, tool calls, and query contents, without any warning that this information may be stored. Even though this is demo functionality, it normalizes unsafe usage patterns and may lead integrators to persist conversational or tool-derived data without considering privacy, retention, or minimization requirements.

Ssd 3

Medium
Confidence
95% confidence
Finding
The README encourages unnoticeable monitoring and automatic interception of core OpenClaw lifecycle events, which naturally includes potentially sensitive user conversations and tool arguments. In the context of an agent memory extension, this materially increases the chance of collecting and later exposing personal data, secrets, or proprietary inputs.

Ssd 3

Medium
Confidence
90% confidence
Finding
The examples show storing and retrieving complete details and session/tool-related content on demand, normalizing retention of full interaction data rather than minimized summaries. That increases exposure risk because sensitive user inputs or tool responses can be preserved and later surfaced to other components or users.

Ssd 3

Medium
Confidence
93% confidence
Finding
The integration example encourages a skill to search for 'user queries' and include details directly in later skill execution. This creates a realistic cross-session data leakage pattern where historical user content may be pulled into future responses without sufficient authorization, purpose limitation, or minimization.

Ssd 3

Medium
Confidence
96% confidence
Finding
This code persistently stores full event payloads via JSON serialization and associates them with session identifiers in multiple memory layers, creating a durable logging pipeline for natural-language and operational data. Because payloads for events like tool.call and memory.write may include secrets, personal data, prompts, or internal memory contents, compromise or misuse of this storage could expose highly sensitive information far beyond what is needed for lightweight lifecycle metrics.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal