ClawHub

Memory Tree

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local memory-management skill, but it handles sensitive memory files and its docs are inconsistent about automation, cloud use, and sharing reports.

Install only if you are comfortable with this skill reading and modifying your OpenClaw memory files. Treat generated weekly reports as sensitive, review any enabled Feishu/OpenClaw channels before running weekly reports, and do not follow external GitHub install instructions unless you verify they match this reviewed artifact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill advertises local memory features but declares no permissions despite requiring file read/write capabilities. Undeclared filesystem access weakens user consent and review, and can enable unexpected access to sensitive local data or persistence changes if the skill is installed or invoked automatically.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The documented behavior omits materially relevant actions: inspecting ~/.openclaw/openclaw.json, detecting configured messaging channels, and suggesting report delivery to Feishu. This mismatch prevents informed consent and increases the risk that private memory/report data could be exposed through external integrations the user did not expect this skill to inspect or leverage.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The weekly command goes beyond local report generation by enumerating global messaging-channel configuration and exposing a Feishu chat ID plus a ready-to-run send command. Even though it does not transmit data itself, this expands the skill's operational scope into message-delivery discovery and increases the chance that sensitive memory-report contents are disclosed to an external destination.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script reads a global OpenClaw configuration file to discover enabled channels and their destination metadata, which is not required for core local memory parsing, search, visualization, or marking. Accessing unrelated global configuration broadens the data the skill can inspect and may reveal messaging targets or other integration details that users did not expect this skill to touch.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrase “帮我回忆一下 xxx” is broad natural language that could easily appear in ordinary conversation, increasing the chance of unintended activation. In a memory-management skill, accidental invocation could expose stored memories or cause the system to retrieve sensitive personal information when the user did not explicitly intend to call the skill.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The initialization trigger “帮我初始化记忆树” is action-oriented and can cause persistent setup behavior, yet the README does not describe scope limits, consent boundaries, or safeguards. If triggered accidentally or by prompt injection through surrounding content, it may enable background automation and data processing without clear user intent.

Missing User Warnings

High
Confidence
94% confidence
Finding
The README advertises automatic backend fallback from local Ollama to cloud APIs but does not clearly warn that memory contents may be transmitted off-device when cloud providers are used. Because the skill handles persistent memories, users may reasonably assume all data stays local, creating a significant privacy and data-exposure risk.

Vague Triggers

Medium
Confidence
78% confidence
Finding
An overly broad trigger phrase can cause accidental activation during ordinary conversation, especially in a natural-language agent environment. Because the skill performs file operations and may generate reports or mark data as permanent, unintended invocation can alter stored memory state or reveal information without deliberate user intent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The one-line usage examples use vague phrases like '生成周报' and '记住这个' without defining boundaries, which raises the chance of accidental triggering. In this context, accidental execution could create reports, search stored memory, or permanently mark content, affecting privacy and integrity of the user's memory store.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Stating that reports are automatically pushed to enabled channels without a clear warning about data transmission is dangerous because weekly reports may contain sensitive memory content. Even if transmission depends on existing configuration, users are not adequately warned that local summaries could be prepared for or exposed via external messaging systems.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The description claims the skill is 'fully automatic' without stating what triggers execution, what data it may access, or what limits apply. Overly broad activation language can mislead users into invoking or authorizing behavior they do not understand, especially for a memory/archive skill that may process persistent personal information.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The mark command rewrites MEMORY.md in place based on a substring title match, without preview, confirmation, or backup. This can unexpectedly alter user data, and ambiguous matches may cause the wrong memory block to be marked, undermining integrity of the memory store.

Ssd 3

Medium
Confidence
92% confidence
Finding
The weekly report aggregates summaries and titles from MEMORY.md and related memory files, writes them to disk, and prints them to the terminal. Because memory stores often contain sensitive personal or operational notes, this creates a real confidentiality risk through local disclosure, shoulder-surfing, shell logging, or unintended retention in report files.

Ssd 3

Medium
Confidence
90% confidence
Finding
The script presents a ready-to-run command to send the generated memory report to an external chat destination discovered from configuration. Even without automatic transmission, this materially facilitates exfiltration of potentially sensitive memory contents by lowering the barrier to sending them outside the local environment.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal