ClawHub

Openclaw Auto Dream

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed memory-consolidation skill, but it needs review because it persists sensitive memory data and includes dashboard and migration behaviors with avoidable exposure risks.

Install only if you want a daily background memory job that reads and modifies MEMORY.md and memory/ logs. Review or redact sensitive entries first, keep notification channels private, avoid generating/opening dashboards from untrusted memory content until sanitized, and only export or import bundles you explicitly trust and select yourself.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (17)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Multiple sections render fields from the untrusted `D` object using `innerHTML` template strings, including `insights`, `recentChanges`, `suggestions`, `staleEntries`, and graph legend content. If any dream/log data contains attacker-controlled HTML such as `<img onerror=...>` or `<script>`-adjacent markup, it can execute in the dashboard context, exposing memory contents, tokens, or performing actions as the viewer.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This document materially expands the skill from periodic memory consolidation into full export, import, cloning, and merging of complete memory state across instances. That broader data-movement capability increases the attack surface for data exfiltration, unintended replication of sensitive memory, and destructive overwrite/merge operations beyond the advertised skill purpose.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Portable bundle sharing enables memory to be copied between instances, which is a form of data export not inherent to auto-dream consolidation. In this context, memories may contain sensitive operational history, user data, or internal procedures, so documenting shareable full-state bundles creates a realistic exfiltration and over-sharing risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Allowing import from an arbitrary user-specified file path can expose the agent to path abuse and untrusted local file access patterns, especially if the implementation follows the documentation literally. Even though the file is expected to be a bundle, this guidance normalizes reading attacker-chosen paths and then writing merged results into trusted memory files.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The prompt instructs the agent to infer the user's preferred language from workspace context and force all output into that language without explicit user consent. This can violate user expectations and may cause privacy issues if the agent inspects unrelated workspace content to infer language, though the direct security impact is limited.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The prompt authorizes broad writes to core memory files, creation of backups, and mutation of source logs, but it does not require an explicit user-visible confirmation or safety notice before making those changes. In an automated or scheduled context, this can silently alter persistent state and make recovery harder if consolidation logic is wrong or over-broad.

Missing User Warnings

High
Confidence
98% confidence
Finding
The forgetting-curve step instructs the agent to compress, move, and archive existing entries based on heuristics, which changes canonical memory content and can effectively destroy fidelity in the original source location. Because this is performed automatically and without a required warning or approval step, mistakes in scoring or classification could cause silent data loss or harmful memory drift.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The prompt directs shell-based append operations and log rotation for dream logs, which introduces file-write side effects and archival behavior without a clear user warning. In practice, this can unexpectedly modify audit/history files and, if implemented unsafely, increases the chance of overwrites, malformed logs, or unintended file system effects.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs the agent to modify multiple user files (e.g. MEMORY.md, procedures.md, dream-log.md, and daily logs) as part of normal operation, but the metadata/description does not clearly warn users that installation or first run will perform broad workspace writes. This creates a consent and transparency problem and increases the chance of unexpected file modification in repositories where memory files may be sensitive or version-controlled.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to read historical daily logs, extract facts, preferences, and project details, and use them to build long-term memory, but it provides no privacy notice or data-handling warning. This can lead to silent processing of sensitive historical information that users may not expect to be summarized, retained, or surfaced later.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
Forcing output into a detected language without user confirmation removes user control and can cause incorrect language selection, especially in multilingual workspaces. While not directly enabling code execution, it can confuse users, obscure important consent information, and make the skill's actions less transparent.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The repeated instruction to translate the entire report before sending reinforces a non-optional language transformation that may hide nuance or mistranslate sensitive details. In a security-sensitive or consent-sensitive workflow, mandatory translation can reduce clarity about what was actually read and stored.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Automatically choosing the most recent export bundle without explicit confirmation can cause unintended state changes to memory files, especially when multiple bundles exist or a stale/malicious file was placed in the directory. Because import is a write operation with broad effects, silent selection undermines safe user intent verification.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document introduces push notifications that may send dream reports or summaries to a configured channel, but it does not warn that these messages can contain sensitive memory content, inferred insights, or personal/project data. In a memory-consolidation skill, that omission can cause unintended disclosure to the wrong channel, audience, or logging surface, especially because notifications are enabled as a normal upgrade step.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill explicitly collects broad categories of user history and preferences and persists them into long-term memory for future use. Retaining and later surfacing this information expands the privacy and confidentiality risk surface, especially if logs contain credentials, health data, business strategy, or other sensitive content.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill requires the final user-visible response to reference real content from logs and personalized history, which can expose sensitive or unexpected details in outward-facing reports or notifications. This is particularly risky if reports are pushed automatically, displayed in shared environments, or stored in chat history.

Ssd 3

Medium
Confidence
93% confidence
Finding
The fresh-instance text promises that every conversation will be remembered and consolidated into long-term memory, implying broad default retention without meaningful consent boundaries. This can normalize pervasive memory capture and mislead users into thinking all content should be stored, including sensitive or ephemeral discussions.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal