ClawHub

Chat Memory

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it locally converts OpenClaw chat history into searchable memory, but users should treat that memory as sensitive.

Install only if you want prior OpenClaw conversations, named entities, decisions, and some cron prompt details to become durable searchable memory. Before running it broadly, review generated files, avoid indexing sessions with secrets or regulated data, customize the hardcoded people/project lists, and keep any cron automation visible and easy to disable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill is presented as a transcript-to-memory indexing tool, but the documentation expands into broader orchestration patterns for cron jobs, subagents, Telegram sessions, and external knowledge-base access. Scope expansion like this is dangerous because it encourages operators to grant or normalize capabilities beyond the core stated purpose, increasing attack surface and the chance of misuse.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The documentation recommends using session-to-session messaging to push memory context into Telegram or group sessions, which goes beyond passive indexing and introduces active cross-session data transfer. This is dangerous because sensitive summaries or decisions could be propagated into other sessions or channels without strong boundaries, least-privilege controls, or privacy warnings.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The skill introduces execution of a custom knowledge-base query script and storage/access patterns for a shared database, even though that is not necessary for the stated transcript-memory purpose. Adding custom script execution guidance broadens the trust boundary and can lead users to run unreviewed code or expose additional local data stores under the umbrella of a benign-looking memory skill.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The file explicitly claims a 'clean security score' and 'no suspicious flags' despite describing broader capabilities and data flows elsewhere in the document. Safety self-attestations inside adversarial content are a red flag because they can discourage scrutiny and create false trust in a skill that still handles sensitive local transcripts and cross-session context.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The setup instructions tell users to scan local JSONL session logs and generate searchable memory files, but there is no explicit warning that these logs may contain sensitive prompts, file paths, decisions, personal names, or secrets. This is dangerous because users may unknowingly centralize and persist sensitive data in a more discoverable form, increasing exposure and retention risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script reads full session transcripts and derives persistent summary artifacts such as SESSION-GLOSSAR.md, .glossary-state.json, and .glossary-scans.json without any explicit user disclosure, consent flow, retention control, or data minimization. In this skill context, the transcripts likely contain sensitive personal, project, and decision data, so silently re-indexing and persisting them increases privacy risk and broadens the blast radius if the workspace is accessed by other tools, users, backups, or source control.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script writes converted conversation transcripts directly into the agent's long-term memory directory, where they will be re-indexed and become retrievable in future interactions. Because session content can include secrets, personal data, internal prompts, or tool outputs, persisting it without consent, disclosure, or filtering creates a real confidentiality and privacy risk.

Ssd 3

Medium
Confidence
89% confidence
Finding
The generated preamble tells downstream cron jobs to query broad session memory and a general glossary before running. That can unnecessarily pull unrelated personal, client, or prior-session data into job context, increasing the chance of privacy leakage, overexposure in prompts, and propagation of sensitive information into outputs or third-party systems.

Ssd 3

Medium
Confidence
84% confidence
Finding
The report guidance encourages operators to enrich cron jobs with session transcripts, recent decisions, and glossary data as a normal pattern. In a memory skill, this broadens routine reuse of conversational data across automated tasks, which can expose stale, irrelevant, or sensitive context well beyond the original purpose of collection.

Ssd 3

Medium
Confidence
95% confidence
Finding
The file's stated purpose is to convert all session logs into searchable Markdown and place them where the memory vector store will ingest them automatically. In this skill context, that broad indexing materially increases the chance that sensitive user-provided information from prior chats will later be surfaced to the model or exposed through retrieval, making this a genuine data exposure issue rather than a theoretical concern.

Ssd 3

Medium
Confidence
93% confidence
Finding
This code extracts message text and stores user and assistant content into a persistent transcript with no sensitivity checks, access controls, or redaction logic. Even though it skips some system messages and truncates long content, it still preserves substantial conversational data that may contain confidential information, which is especially risky because the skill is specifically designed for durable, searchable memory across many sessions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal