ClawHub

Lovefromio Openclaw Persistent Memory

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real persistent-memory skill, but it stores and reuses agent context by default with limited privacy, retention, and safety guidance.

Install only if you intentionally want long-term agent memory. Prefer ClawHub or reviewed npm installation over the curl-to-bash option, keep the worker bound to localhost, consider disabling autoCapture or autoRecall until you understand what is stored, avoid storing secrets, and review or back up the memory database before deletion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The guide recommends executing a remotely fetched script directly with bash, which gives arbitrary code from a mutable external source immediate execution on the user's machine. In installation documentation for a persistent-memory skill, this is not necessary and meaningfully increases supply-chain and remote code execution risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
Piping curl output to bash executes network-delivered code without review, provenance verification, or integrity checks. The lack of any warning normalizes unsafe installation behavior and exposes users to compromise if the upstream repository, network path, or referenced script is tampered with.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documented default configuration enables automatic memory capture and recall, which may collect and re-inject sensitive user or organizational data without informed consent. For a persistent-memory skill, this behavior is core functionality, but presenting it without privacy, retention, and access-control warnings makes accidental data exposure more likely.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The uninstall section includes recursive deletion commands that can permanently remove extension files and the local database, but it does not warn users about irreversible data loss. Because this skill stores persistent memory, silent deletion of the backing data directory is especially risky and can destroy records users may expect to preserve or export first.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises automatic context capture and prompt-time memory recall, which implies collection, storage, and reinjection of potentially sensitive user or agent data. Omitting any privacy, consent, retention, or data-handling warning can mislead users into enabling the skill without understanding that secrets, personal data, or confidential workspace context may be persisted and resurfaced in later prompts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises automatic capture of context across sessions and automatic recall, but it does not provide any user-facing warning about retention, sensitivity of stored prompts/responses, or deletion/consent expectations. In a memory plugin, this materially increases privacy risk because secrets, personal data, or confidential workflow context may be silently persisted and later resurfaced.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends user-supplied search queries and observation identifiers to a memory worker over HTTP without any warning, confirmation, or visibility to the user. In a persistent-memory skill, those queries and returned data may contain sensitive context, so silent transmission can expose confidential information to a local or remotely configured service via OPENCLAW_MEM_URL.

External Transmission

Medium
Category
Data Exfiltration
Content
json=true
    fi
    
    local result=$(curl -s -X POST "$WORKER_URL/api/timeline" \
        -H "Content-Type: application/json" \
        -d "{\"observation_id\": $id}")
Confidence
90% confidence
Finding
curl -s -X POST "$WORKER_URL/api/timeline" \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal