ClawHub

Memory Core

Security checks across malware telemetry and agentic risk

Overview

This memory skill is mostly purpose-aligned, but it handles long-term private memory with under-disclosed cloud embedding, credential, and data-loss risks.

Review this before installing. Use a local embedding backend for sensitive memory, avoid shared or global API keys unless you intend that, restrict any remote endpoint to a provider you trust, and keep backups of the memory database before upgrades or schema changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation exposes capabilities that imply reading local files/configuration, accessing environment-derived secrets, and making network requests, yet it declares no permissions. This creates a transparency and consent failure: operators may enable the skill expecting local-only behavior while it can access sensitive configuration and transmit data externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior materially diverges from the stated purpose and safety claims. In particular, claiming built-in intent/scene isolation while analysis indicates retrieval does not enforce it can cause cross-context memory leakage, and undisclosed reading of local config/API keys plus remote embedding calls expands the attack surface beyond what users are told.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code automatically reads an API key from the user's global OpenClaw configuration and reuses it for this skill when no local key is set. This expands the skill's effective privileges beyond its own declared/local configuration and can cause unexpected use of unrelated credentials, increasing the chance of unintended external API access and cross-skill credential reuse.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This module transmits input text to external embedding providers, which can include long-term memory content. For a memory-core skill, that creates a real confidentiality and data-governance risk because stored memories may contain sensitive user information that leaves the local LanceDB boundary and is sent to third-party services.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code supports arbitrary remote embedding endpoints via configurable base URLs, expanding the trust boundary beyond the stated LanceDB-based memory purpose. This makes exfiltration of memory content possible to unintended or attacker-controlled services if configuration is changed or compromised.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README documents a cloud embedding configuration and even labels it as the default, but it does not explicitly warn that memory content, queries, and possibly sensitive user facts may be transmitted to a third-party service off-machine. For a long-term memory skill, this omission is security-relevant because users may reasonably assume the data remains local based on the broader '本地优先' framing and may unknowingly expose sensitive persisted memories.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The markdown presents a cloud embedding option without a clear warning that memory text may be sent to a third-party service for embedding. Users may store sensitive long-term memory under the assumption of local persistence, leading to unintentional disclosure of personal, proprietary, or regulated data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Sensitive credentials are loaded from a user config file without any disclosure, consent prompt, or audit signal to the user. In a memory skill, this hidden credential sourcing is more concerning because stored content may later be embedded and sent to a remote provider, so users may not realize their local memory feature is using external services and inherited secrets.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code drops and recreates the entire LanceDB table when the existing schema does not match the expected vector field shape. This can silently destroy all stored long-term memory data on startup, which is especially risky in a persistence layer intended to preserve agent memory and isolation state. In this skill context, unexpected data loss can also undermine scene/intent separation guarantees and cause operational or security side effects.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The function sends raw text to an external API without any disclosure or consent mechanism in the code path. In a long-term memory component, the text may contain private or sensitive information, so silent transmission materially increases privacy and compliance risk.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger patterns are broad generic terms such as "memory", "context", "remember", and common Chinese equivalents, which are likely to appear in normal conversation unrelated to explicit memory operations. In a skill that has access to an execution tool and persistent long-term memory behavior, this can cause unintended invocation, accidental storage/retrieval of user data, and context pollution across ordinary chats.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal