ClawHub

Memory Maintenance

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate memory-maintenance purpose, but it needs review because it can schedule recurring runs, read sensitive memory and environment files, send memory contents to Gemini, and perform file cleanup.

Install only if you are comfortable with your OpenClaw memory files, USER.md, MEMORY.md, and relevant daily notes being processed through Gemini. Review or edit the scripts first if your .env contains secrets beyond GEMINI_API_KEY, if you do not want a daily cron job, or if you need all cleanup to be recoverable. Treat generated review JSON as untrusted before applying file moves.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The manifest declares an install script and operational commands that clearly rely on shell execution, but no explicit permissions are declared to scope or communicate that capability. This creates a trust and review gap: users may install or run the skill without understanding that it can execute local commands, alter files, and potentially register scheduled tasks.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill description understates important behaviors: installation side effects, cron registration, external transmission of note/memory contents via Gemini, file moves/renames, and deletion/cleanup actions. When a skill performs broader actions than advertised, users cannot give informed consent, and sensitive workspace data may be exposed or modified unexpectedly.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The script's broader cleanup behavior consistently moves files into a .trash directory, but this branch permanently deletes files from .consolidated with rm. That inconsistency creates a real data-loss risk because users may reasonably expect recoverable cleanup, especially in a memory-management skill that operates on agent state and historical context.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script sources a workspace-wide .env file even though the review task only needs local file reads and report generation. Loading all exported variables unnecessarily exposes secrets to the shell environment and to any child process, including the later Gemini CLI invocation, increasing the chance of credential leakage or misuse.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script sends aggregated contents of daily notes, MEMORY.md, USER.md, and directory metadata to an external Gemini CLI for analysis. That is a real data exfiltration boundary and is not implied by a local 'memory maintenance' skill, especially because these files may contain sensitive personal, operational, or credential-adjacent information.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The header claims suggestions are 'NEVER auto-applies,' but the generated report instructs operators to run commands that apply safe or all changes. This mismatch can mislead reviewers about the automation level and cause them to trust or execute downstream actions without appreciating the modification risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
In all mode, rename and delete-style actions are executed directly from untrusted review data without validating that target and destination paths remain inside the intended workspace. A crafted review JSON could cause arbitrary file moves within the user's accessible filesystem via path traversal or unexpected destination values, making this dangerous in an agent skill that consumes generated review artifacts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Using find -exec rm {} \; permanently deletes files without confirmation, rollback, or a safety boundary beyond the hardcoded path. In a maintenance script that runs automatically, this can silently destroy memory fragments that may still be needed for troubleshooting, auditability, or recovery from upstream mistakes.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script executes `source "$WORKSPACE/.env"`, which runs arbitrary shell code from a workspace-controlled file rather than safely parsing environment variables. If an attacker or compromised repository can modify that .env file, installation will execute attacker-supplied commands with the user's privileges.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Sourcing an environment file with exported variables without user-facing disclosure creates an undisclosed secret-access behavior. In a user-memory maintenance context, operators would not reasonably expect the skill to ingest credentials or other environment data, making this both a transparency and security problem.

Missing User Warnings

High
Confidence
99% confidence
Finding
At the Gemini invocation point, the script transmits prompt content built from workspace memory documents to an external service without explicit disclosure or consent. This can expose private notes, preferences, relationships, project details, and other sensitive summaries outside the local environment.

Ssd 3

Medium
Confidence
93% confidence
Finding
The prompt explicitly asks the model to analyze, summarize, and restructure personal memory documents and daily notes, which increases the chance that sensitive information is restated in reports or output files. Even if the source files remain local, the generated summaries can amplify exposure by concentrating private data into more accessible artifacts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal