ClawHub

Session Memory

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate local memory tool, but it broadly persists OpenClaw session history into searchable files with limited privacy controls.

Install only if you intentionally want historical OpenClaw conversations copied into searchable workspace memory. Review generated memory files before sharing the workspace, avoid enabling recurring cron indexing in sensitive environments, and consider adding redaction, exclusions, file permission tightening, and cleanup procedures before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documents capabilities to read local session logs, inspect cron configuration, and write derived memory files, but does not declare corresponding permissions. Undeclared file and environment access is dangerous because users may install it without realizing it will scan sensitive local data and persist extracted content for later retrieval.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented purpose focuses on session-memory indexing, but the skill also analyzes cron job definitions and proposes rewritten prompts for other automations. That scope expansion matters because cron payloads may contain sensitive operational instructions, secrets, or workflow details that users would not expect this skill to inspect.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup instructions omit a prominent warning that running the scripts scans historical session transcripts and converts them into persistent, searchable Markdown. This is dangerous because those transcripts may contain personal data, credentials, internal paths, or confidential business context that becomes easier to discover and reuse across sessions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes extracted content derived from session transcripts into a consolidated Markdown glossary file, including names, projects, decisions, and preview text. Because session transcripts may contain sensitive personal, operational, or confidential information, this creates a secondary, easier-to-browse disclosure surface without any consent, minimization, redaction, or warning to the user.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script persistently copies full session transcripts from the agent's local session log directory into a searchable memory store and explicitly relies on automatic re-indexing, but there is no consent, notice, or filtering step before retention. Because session logs can contain secrets, personal data, and sensitive prompts, silently converting them into durable searchable memory increases privacy and data-retention risk well beyond the original ephemeral session context.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill promotes persistent collection and indexing of full session transcripts, explicitly preserving names, decisions, file paths, and reasoning for future retrieval. Centralizing this sensitive conversational data increases the blast radius of any compromise, accidental disclosure, prompt injection retrieval, or misuse by other agents with access to the workspace.

Ssd 3

Medium
Confidence
95% confidence
Finding
The cross-session sharing guidance encourages propagating prior conversation context into cron jobs, subagents, Telegram sessions, and other execution environments. That is risky because it spreads potentially sensitive data into more channels and agents, some of which may have weaker controls, broader audiences, or different threat models.

Ssd 3

Medium
Confidence
92% confidence
Finding
The generated preamble tells downstream jobs to query session memory and consult a glossary before acting, which can cause unrelated cron tasks to pull historical user, project, or decision data into new contexts. That broadens data exposure and creates a cross-task privacy leak path, especially if job prompts are later sent to models, logs, or external services.

Ssd 3

Medium
Confidence
90% confidence
Finding
The report template operationalizes and normalizes injecting historical session context into many cron jobs, encouraging systematic reuse of prior user data beyond its original purpose. At scale, this increases the chance that sensitive context is unnecessarily included in automated workflows, outputs, or third-party API calls.

Ssd 3

Medium
Confidence
95% confidence
Finding
This script is designed to transform session logs into searchable Markdown memory for later reuse, which creates a secondary storage and discovery surface for all conversation content. In this skill's context, that is the core feature, but it is still security-relevant because untrusted user inputs, credentials, internal data, and prior prompts may be retained and surfaced in future agent behavior or exposed to other local processes with access to the memory store.

Session Persistence

Medium
Category
Rogue Agent
Content
names, decisions, file paths, reasoning. The agent retains a summary but loses the ability
to recall "What exactly did Sarah say?" or "When did we decide on that approach?"

Most memory skills on ClawHub are just SKILL.md instructions — "write stuff to MEMORY.md."
That's not a solution. **This skill ships real scripts that do real work.**

## The Solution: Three-Layer Memory Architecture
Confidence
86% confidence
Finding
write stuff to MEMORY.md." That's not a solution. **This skill ships real scripts that do real work.** ## The Solution: Three-Layer Memory Architecture ``` Layer 1: MEMORY.md — Curated long

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal