ClawHub
Back to skill

Security audit

Memory Plus Sync

Security checks across malware telemetry and agentic risk

Overview

This skill is a memory-sync tool, but it handles broad private conversation data, credentials, deletion, and automatic/background behavior without enough scoping or consent controls.

Install only if you are comfortable with a skill reading and duplicating private memory/chat data, using configured LLM credentials, and potentially deleting or cleaning memory stores. Before enabling, bind services locally, avoid automatic cron cleanup, keep API keys out of source/config resources, review exactly which channels and folders are synced, and back up Hermes/OpenClaw memory stores.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (50)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
elif command == "mcp":
        # 启动 MCP 服务器
        os.system(f"python {Path(__file__).parent}/mcp_server.py {' '.join(sys.argv[2:])}")
    
    elif command == "test":
        # 运行测试
Confidence
99% confidence
Finding
os.system(f"python {Path(__file__).parent}/mcp_server.py {' '.join(sys.argv[2:])}")

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The function does more than load settings: it rewrites a Python source file and embeds the API key directly into code. Storing secrets in source files is dangerous because the key can be exposed through version control, backups, logs, local read access, packaging artifacts, or later debugging workflows; in an agent skill context, that broadens the blast radius of a single credential leak.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The active code path in `_call_agent_async` returns a mocked success response before reaching the real implementation, while comments and structure imply genuine asynchronous model invocation. This can cause downstream systems to trust fabricated validation, scoring, and safety-review results, effectively bypassing safety controls and creating an integrity failure in any workflow that relies on these agents for enforcement.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code exports the entire parsed user profile into a shared cross-tool directory even though the function is framed as exporting only important memories. User profile data is likely to contain broad personal preferences or sensitive context, and sharing it wholesale to another tool materially increases exposure beyond the minimum needed purpose.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The `memory-plus://config` resource returns the full result of `config_manager.load_settings()` to any MCP client that can read resources. Configuration objects commonly contain API keys, endpoints, credentials, or internal operational parameters, so exposing the entire settings blob can leak secrets and materially aid follow-on compromise. In this server context, the risk is increased because the resource is explicitly advertised and requires no filtering, redaction, or access control.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The cleanup command is documented as selective via --clean-hermes and --clean-openclaw, but the implementation uses `args.clean_hermes or True` and `args.clean_openclaw or True`, which always evaluate to True. This causes both memory stores to be cleaned regardless of operator intent, creating a real risk of unintended data deletion or loss of synchronization state when a user expects a limited cleanup.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script prints a final summary claiming all core functions are healthy regardless of whether earlier tests actually failed, which can mislead operators into believing the system is functioning correctly. In a verification script, false success reporting undermines monitoring and can cause broken or insecure components to be deployed or left uninvestigated.

Missing User Warnings

High
Confidence
95% confidence
Finding
The README explicitly promotes automatic collection and unified storage of conversations across Feishu, WeChat, Telegram, voice, and customer-service contexts, but provides no privacy, consent, retention, or access-control warning. In a skill that centralizes multi-channel communications by default, this creates a real risk of unauthorized collection and retention of sensitive personal, corporate, or regulated data.

Missing User Warnings

High
Confidence
97% confidence
Finding
The README says enabling the skill causes it to 'automatically start syncing' and emphasizes 'zero configuration' without clearly warning that data collection begins immediately. This is dangerous because users may activate the skill expecting harmless setup, while it may start ingesting historical and ongoing conversations across channels without informed approval.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README advertises automatic backup, VACUUM optimization, FTS index rebuild, and automatic recovery, but does not warn that these are state-changing database operations that can affect performance, availability, or data integrity if misapplied. In a shared memory database, undocumented automatic repair actions can surprise operators and amplify operational risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly describes copying user preferences, project configuration, decisions, reports, and logs into a shared folder, but it does not warn that sensitive or confidential data may be duplicated outside the original stores. In this context, the shared directory and JSONL logs expand the exposure surface and can lead to unintended disclosure of secrets, personal data, or internal project information.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The maintenance section includes find ... -delete commands that permanently remove matching files from the shared-memory tree, but the README does not clearly emphasize that these deletions are irreversible and may affect logs, reports, backups, or markdown files. Users following the instructions may unintentionally destroy data needed for recovery, auditing, or troubleshooting.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly promotes cross-channel collection of Feishu, WeChat, Telegram, and voice transcripts into unified storage, but provides no clear user warning, consent requirement, or data-use boundary. In a memory-sync skill, this omission is dangerous because it normalizes bulk capture of sensitive communications without informing users that private multi-platform conversations may be retained long-term.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documented `memory_delete` capability exposes destructive functionality without any warning about confirmation, authorization, or recovery expectations. In a memory-management context, deletion can permanently remove user records or synchronized conversation history, especially since the same document also describes unified long-lived storage and automation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The startup example binds the MCP server to 0.0.0.0 and pairs it with API examples that handle memory content, but provides no warning about network exposure, authentication, or privacy risks. In a skill centered on storing and querying memory, this can lead operators to expose sensitive data services on reachable interfaces without realizing the consequences.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This module aggregates chat history and voice conversation content from local files under the user's home workspace, including raw message data, without any consent flow, privacy notice, or access control visible in the code. In a memory-collection skill, silent harvesting of sensitive conversations increases the risk of overcollection, unintended retention, and downstream disclosure of private data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This code writes API key material to a Python config file without safeguards or explicit consent at the write site. Even if intended for convenience, persisting secrets into executable source increases the chance of accidental disclosure and makes secret handling harder to audit, especially in shared repositories or deploy pipelines.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The batch processor stores arbitrary memory content and also echoes portions of that content to console output and returned result objects, which can expose sensitive personal or business data to logs, operators, or downstream callers without explicit consent or data-minimization controls. In a memory-processing skill, persistence and disclosure are core privacy risks because the inputs are likely to contain user secrets, personal events, and other high-sensitivity information.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This code performs an outbound request using a bearer token and user-configurable base URL, but the file provides no explicit disclosure, confirmation, or restriction on the destination. If an attacker can influence configuration, they could direct the request to an untrusted host and trigger credential leakage or unintended transmission of model metadata.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends raw `memory_content` plus aggregated agent responses to a third-party cloud LLM for arbitration. If those memories contain secrets, personal data, or sensitive business context, this causes external disclosure without any minimization, redaction, or explicit consent mechanism visible in this file.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code sends raw memory content to external validation and arbitration components (`TripleAgentProcessor(use_kimi=True)` and `LLMArbiter(use_kimi=True)`) before storage, but there is no consent gate, disclosure, redaction, or data-classification check. If memory content contains secrets, personal data, or internal business information, this creates an unintended outbound data exposure path to third-party LLM services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The sync routine reads vectors and metadata from a local SQLite database and sends them to Qdrant over plain HTTP, which can expose potentially sensitive memory content to network interception or unintended services. In this skill context, the feature is intentionally for synchronization, but the lack of transport security, consent/notice, and destination validation makes the data-transfer risk real rather than merely informational.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The export function retrieves payloads and vectors from Qdrant and writes them directly to an arbitrary JSON file path, which can create a local plaintext dump of sensitive data without safeguards. In a memory-management skill, this is especially risky because exported payloads may contain personal or confidential content and are easy to exfiltrate once written.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code sends `memory_content` directly to external model APIs via `client.chat.completions.create(...)` without any visible consent, disclosure, redaction, or policy gate in this component. If memory content contains secrets, personal data, or sensitive internal notes, this creates a real confidentiality risk through third-party processing and retention.

Missing User Warnings

High
Confidence
96% confidence
Finding
The script performs destructive DELETE operations against the memory API automatically, with no user confirmation, dry-run mode, approval gate, or rollback mechanism. In this skill context, that is dangerous because any misclassification, malformed duplicate group, or compromised local API response can trigger irreversible loss of stored memory data at scale.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.