ClawHub
Back to plugin

Security audit

Nessie

Security checks across malware telemetry and agentic risk

Overview

This plugin transparently connects OpenClaw to a user's Nessie context library, with sensitive but disclosed access to personal/team context and local API-key storage.

Install only if you want OpenClaw to access your Nessie memory, including connected notes, AI transcripts, saved contexts, and readable team-shared sources. Be aware that setup stores a Nessie API key in your local OpenClaw config in plaintext, protected by file permissions; avoid sharing that config file or committing it to source control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The plugin persists the Nessie API key directly into the OpenClaw JSON config as an Authorization header, which creates a plaintext secret-at-rest in a predictable local file. Although the code sets restrictive file permissions, this still increases exposure through backups, accidental commits, support bundles, local malware, or other tools/users that can read the file; there is also no user-facing warning that init will store the credential on disk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill’s trigger guidance is very broad and can cause automatic invocation for many ordinary requests about prior work, notes, or relationships without a clear consent gate. Because the tool accesses highly sensitive personal and potentially team-shared memory, over-broad activation increases the chance of unnecessary data access and privacy overreach even if the underlying tool is functioning as designed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill encourages the agent to search personal context, AI conversation transcripts, relationships, and team-readable sources, but it does not require an upfront privacy notice or explicit confirmation before doing so. In practice this can lead to silent retrieval of sensitive personal or coworker data beyond what the user expected from a natural-language request.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"validate": "bash scripts/validate.sh"
  },
  "dependencies": {
    "@modelcontextprotocol/sdk": "^1.29.0"
  },
  "openclaw": {
    "extensions": [
Confidence
89% confidence
Finding
"@modelcontextprotocol/sdk": "^1.29.0"

VirusTotal

60/60 vendors flagged this plugin as clean.

View on VirusTotal