ClawHub

Dream Selfimproving

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly aligned with its self-improving memory purpose, but it grants broad persistent memory and skill-modification authority without enough user control.

Install only if you deliberately want an always-on memory and self-evolution system. Review what it stores in OpenClaw memory, keep secrets out of conversations it can log, inspect generated skills under ~/SharedSkills before using them, and avoid running cron-editing or sync workflows unless you trust the local OpenClaw/Hermes environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (29)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = [openclaw_bin] + args
    cmd = [c for c in cmd if c]
    try:
        result = subprocess.run(cmd, capture_output=True, text=True, encoding="utf-8", errors="replace")
    except Exception:
        result = subprocess.run(cmd, capture_output=True, text=True)
    if result.returncode != 0:
Confidence
93% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, encoding="utf-8", errors="replace")

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        result = subprocess.run(cmd, capture_output=True, text=True, encoding="utf-8", errors="replace")
    except Exception:
        result = subprocess.run(cmd, capture_output=True, text=True)
    if result.returncode != 0:
        try:
            result = subprocess.run([openclaw_bin] + args, capture_output=True, text=True, encoding="utf-8", errors="replace")
Confidence
90% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
result = subprocess.run(cmd, capture_output=True, text=True)
    if result.returncode != 0:
        try:
            result = subprocess.run([openclaw_bin] + args, capture_output=True, text=True, encoding="utf-8", errors="replace")
        except Exception:
            result = subprocess.run([openclaw_bin] + args, capture_output=True, text=True)
    return result.stdout or "", result.returncode
Confidence
92% confidence
Finding
result = subprocess.run([openclaw_bin] + args, capture_output=True, text=True, encoding="utf-8", errors="replace")

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            result = subprocess.run([openclaw_bin] + args, capture_output=True, text=True, encoding="utf-8", errors="replace")
        except Exception:
            result = subprocess.run([openclaw_bin] + args, capture_output=True, text=True)
    return result.stdout or "", result.returncode
Confidence
88% confidence
Finding
result = subprocess.run([openclaw_bin] + args, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
edit_cmd = ([openclaw_bin, openclaw_script, "cron", "edit", job_id, "--message", message] if openclaw_script
                        else [openclaw_bin, "cron", "edit", job_id, "--message", message])
            try:
                result = subprocess.run(edit_cmd, capture_output=True, text=True, encoding="utf-8", errors="replace")
            except Exception:
                result = subprocess.run(edit_cmd, capture_output=True, text=True)
            if result.returncode == 0:
Confidence
95% confidence
Finding
result = subprocess.run(edit_cmd, capture_output=True, text=True, encoding="utf-8", errors="replace")

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
                result = subprocess.run(edit_cmd, capture_output=True, text=True, encoding="utf-8", errors="replace")
            except Exception:
                result = subprocess.run(edit_cmd, capture_output=True, text=True)
            if result.returncode == 0:
                print(f"[OK] {name} cron updated")
            else:
Confidence
91% confidence
Finding
result = subprocess.run(edit_cmd, capture_output=True, text=True)

Tainted flow: 'new_content' from pathlib.Path.read_text (line 30, file read) → pathlib.Path.write_text (file write)

Medium
Category
Data Flow
Content
new_lines.extend(lines[878:])

new_content = '\n'.join(new_lines)
dream_py.write_text(new_content, encoding='utf-8')
print('File rewritten.')

# Verify
Confidence
88% confidence
Finding
dream_py.write_text(new_content, encoding='utf-8')

Context-Inappropriate Capability

Medium
Confidence
71% confidence
Finding
The script modifies another local skill file and then executes a local Python compile-check without any trust boundary, user confirmation, or sandboxing. In skill ecosystems, self-modifying code plus post-write execution-related behavior increases operational risk because it normalizes silent modification and local code processing on the host.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script autonomously creates new skills and writes both SKILL.md and executable Python files into ~/SharedSkills without explicit user approval. In an agent-skill context, self-extending behavior is dangerous because it can persist new capabilities outside the original skill boundary, making review, provenance, and future execution control much harder.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script appends generated rules into TOOLS.md based on parsed error-log content, effectively modifying operational guidance from potentially untrusted data. In a skill ecosystem, this can poison future agent behavior, introduce misleading procedures, and create persistent prompt/instruction injection across later runs.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The skill advertises broad capability-derived draft generation for many common intents, which increases the chance that ordinary user requests unintentionally trigger autonomous skill creation or related side effects. In a system that can write files and evolve skills automatically, ambiguous activation expands the attack surface and makes consent boundaries unclear.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Using very broad primary triggers like 'dream' / '做梦' makes accidental invocation likely during ordinary conversation. Because the invoked action performs memory distillation, reporting, and potentially broader file operations, accidental triggering can expose or process sensitive data without a deliberate user request.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The generator writes multiple files to the user's SharedSkills directory immediately after validating input, with no explicit user confirmation, dry-run preview, or warning about filesystem changes. In a skill-generation context, this can create or overwrite operational artifacts based on untrusted or mistaken requirements, making unintended persistence and supply-chain style abuse more likely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code automatically updates the skill registry after generation when auto_register is enabled, without a user-facing approval step. This is risky because newly created skills become discoverable or active in the broader system immediately, which can amplify the impact of malicious or erroneous generated content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script overwrites a hardcoded `dream.py` in a user workspace with no prompt, backup, rollback, or explicit consent. Silent modification of local code is dangerous because it can corrupt user assets, introduce unintended behavior, or be repurposed to alter other files if the path is changed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script overwrites a hard-coded file in a user workspace with no prompt, backup, or transactional safety checks. In an agent skill environment, silent modification of local code is dangerous because it can cause data loss, break automation, or unexpectedly alter trusted code without the operator noticing until later.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script silently modifies another skill's source file on disk with no prompt, logging beyond a generic message, rollback, or integrity verification. In an agent skill ecosystem, self-modifying or cross-skill-modifying behavior is risky because it can alter downstream behavior unexpectedly and can be repurposed to tamper with trusted automation.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The document describes a workflow that copies data from one agent's memory store into another persistent memory file without any mention of data classification, consent, minimization, or review. Because the synchronized content can include operational and personal/sensitive information, this creates a real risk of over-sharing, privacy leakage, and propagation of secrets across systems with different access boundaries.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The synced examples explicitly include account/address data and system configuration details, yet the document presents this as routine synchronization with no warning or restriction. Replicating such information into another memory store broadens exposure, increases the blast radius of compromise, and may leak operationally sensitive details to components or users that did not previously have access.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Writing auto-generated skill files into the user's home directory without notice or consent is unsafe persistence behavior. It creates durable executable content in a globally meaningful location, which can later be discovered and run by users or automation that assume home-directory content is trusted.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow appends generated content into existing workspace files without prior disclosure, which can silently alter memory, logs, or operational state. In agent settings, undisclosed persistent edits are risky because they can reshape future behavior and leak or amplify sensitive user-derived content.

Ssd 3

High
Confidence
97% confidence
Finding
The skill explicitly states that every message is monitored and written to persistent memory logs, then reused for later distillation and memory updates. This creates substantial privacy and data-handling risk because sensitive user content may be retained indefinitely and repurposed beyond the original interaction without granular consent or minimization.

Ssd 3

High
Confidence
96% confidence
Finding
Automatically generating complete daily reports from conversation logs increases the likelihood that private user data, secrets, or sensitive behavioral summaries will be surfaced in consolidated artifacts. Reports are often easier to read, copy, and share than raw logs, so summarization can amplify disclosure impact.

Ssd 3

High
Confidence
98% confidence
Finding
The workflow directs broad ingestion of logs, learnings, memory files, graph data, and long-term recall, then reinjects recalled content back into model context. This creates a strong risk of cross-context data leakage, where previously stored sensitive information can resurface in later outputs unrelated to the original request.

Ssd 3

Medium
Confidence
94% confidence
Finding
An automatically enabled hook that records preprocessed user messages into persistent logs creates background surveillance-like behavior and removes meaningful user intent at collection time. Even if designed for memory features, always-on capture materially raises privacy risk, especially when paired with later summarization and RAG recall.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal