ClawHub

Memory system for claws

Security checks across malware telemetry and agentic risk

Overview

This is a coherent persistent-memory skill, but it broadly records and reinjects chat/tool history and asks users to bypass normal install safety checks.

Install only if you intentionally want long-lived agent memory. Review the npm package before using the unsafe install flag, avoid the manual bypass path unless necessary, set a private writable data directory, switch summarization to heuristic if you do not want external inference, add sensitive tools to skipTools, inspect mem peek/search output, and prune or forget sessions containing private data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (11)

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The skill claims memory stays local by default and says there is no network or external service, yet the documented default summarizer invokes the host inference surface via `openclaw infer model run`, which may send captured conversation data to an external provider. Because the plugin persistently captures chats and tool-call history, this mismatch can cause operators and users to underestimate data egress and privacy exposure.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The appendix explicitly instructs users to bypass OpenClaw's install pipeline and static scan, undermining the platform's intended security controls. Even though this is documentation rather than executable code, agent/operators following it could install unreviewed artifacts and dependencies outside the normal trust boundary.

Missing User Warnings

High
Confidence
95% confidence
Finding
The description advertises convenience and persistence but does not lead with a clear warning that it automatically records conversations and tool-call chains into long-term storage. In a memory skill, omission of that disclosure is dangerous because users may reveal sensitive data without realizing it will be retained, searchable, replayed into future prompts, or exported later.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented procedure deletes the existing extension directory with `rm -rf` before replacement, but does not require confirmation, backup of that directory, or a safer in-place upgrade path. This creates a real risk of accidental destructive action and service disruption if the command is copied incorrectly or the reinstall fails mid-process.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly describes collecting and storing per-tool-call observations, including user requests, facts, file access, and file modifications, but provides no indication of consent, minimization, retention limits, or privacy controls at collection time. In an agent-memory system, this creates a real risk of silently persisting sensitive workspace or user data beyond the immediate task, increasing exposure in the event of misuse, overcollection, or later retrieval.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document states that stored observations and summaries are injected into future prompts as a system-message-level prefix, which can cause prior-session data to influence later model behavior without clear disclosure or strict scoping. This is dangerous because sensitive or irrelevant past content may be surfaced across tasks or sessions, potentially leaking private data and amplifying prompt-context risks through privileged system-level insertion.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation explicitly demonstrates extracting tool inputs/results and then persisting the resulting observation, while also noting that generated markdown is prepended to future prompts. In an agent-memory library, this creates a realistic risk of retaining sensitive file contents, credentials, personal data, or prompt context without any warning, minimization guidance, or redaction controls, which can lead to unintended disclosure or prompt-context leakage.

Ssd 3

High
Confidence
97% confidence
Finding
The skill is explicitly designed to capture all conversations and tool-call history into persistent storage and replay that data into future prompts. This creates a durable data-retention and disclosure channel for potentially sensitive user content, including secrets, private instructions, and tool outputs that were originally provided only for a single session.

Ssd 3

High
Confidence
97% confidence
Finding
Turning every conversation and every tool call into searchable history for later prompt injection materially increases the blast radius of any sensitive data the agent handles. Content that was transient in one interaction becomes durable, retrievable, and automatically reintroduced into later contexts, raising risks of privacy leakage, cross-task contamination, and unintended disclosure.

Ssd 3

High
Confidence
96% confidence
Finding
The skill states that every user message, and optionally assistant messages, are captured and stored as observations. That is a direct privacy and data-governance risk because ordinary chat content may include credentials, personal data, confidential business information, or regulated material that users do not expect to be retained beyond the immediate interaction.

Ssd 3

Medium
Confidence
88% confidence
Finding
Documenting export and import of accumulated memory enables bulk extraction and transfer of stored conversation data. In the context of a system that records chats and tool-call history, this increases disclosure risk because a single command can package large amounts of sensitive historical content for movement to another machine or environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal