ClawHub
Back to skill

Security audit

OpenClaw Agent Memory Commons

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed shared knowledge-card tool; its optional GitHub publishing and scheduled sync features require care but fit the stated purpose and are user-invoked.

Install only if you want a shared OpenClaw knowledge-card workflow. Before enabling the optional cron jobs, confirm you are comfortable with scheduled ClawHub updates and local report files. Treat GitHub setup and --push commands as maintainer actions: review tracked files, avoid secrets, prefer least-privilege tokens, and consider a private repo or manual push until you have inspected what will be published.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares only `shell` in `allowed-tools`, but the documented behavior clearly includes reading and writing local files, using environment-provided tokens, and making network requests to ClawHub/GitHub. This mismatch weakens reviewability and consent because operators may trust the declared capability surface while the skill’s workflow expects broader access, increasing the chance of unintended data exposure or execution in an overly privileged environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill presents itself primarily as a privacy-safe shared knowledge commons, but the documented and reported behavior expands into repository creation, git remote modification/push operations, external telemetry fetching, and generation of public artifacts. That description-behavior gap is dangerous because users may authorize or install it under a narrower trust assumption than its real operational scope, leading to accidental publication, token misuse, or outbound data disclosure.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script reads GitHub credentials from environment variables and uses them to authenticate outbound API calls. While common in automation, this capability is not necessary for a memory-sharing skill's runtime purpose and expands the skill's ability to act with the user's GitHub privileges if executed in a broader agent context.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
When --push is supplied, the script rewrites the local git remote and pushes the current branch to GitHub. In an agent skill context, this is a powerful side effect unrelated to the advertised memory-commons behavior and could alter repositories or publish code unexpectedly if triggered with a valid token and local repo access.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documented `gh repo create` command explicitly creates a public repository and pushes the current local directory, but the surrounding instructions do not clearly warn users that local content will be published externally. In a skill focused on shared memory and knowledge syncing, users may run setup commands quickly and unintentionally expose files, notes, configuration, or other sensitive project contents.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The token-based workflow instructs users to create a repository with credentials and push content to a public repo, but it does not warn about the sensitivity of the token or the disclosure risk from `--public` and `--push`. This combination increases the chance of accidental publication of local data and normalizes use of powerful credentials without basic handling guidance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.