ClawHub

Memoria

Security checks across malware telemetry and agentic risk

Overview

Memoria is a coherent memory plugin, but it captures and persists broad agent data and can send it to cloud LLMs despite local-only framing.

Install only if you are comfortable with an agent memory layer that records conversations and tool output by default. Before enabling it, disable or strictly configure remote fallbacks if you require local-only operation, review syncMd and auto-skill behavior, keep generated memory files out of shared repositories, and avoid the curl-to-bash installer unless you inspect the script first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (68)

Tainted flow: 'OPENAI_KEY' from os.environ.get (line 13, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"response_format": {"type": "json_object"}
    }
    try:
        r = requests.post(f"{OPENAI}/chat/completions", json=body, timeout=30,
                         headers={"Authorization": f"Bearer {OPENAI_KEY}", "Content-Type": "application/json"})
        r.raise_for_status()
        content = r.json()["choices"][0]["message"]["content"]
Confidence
98% confidence
Finding
r = requests.post(f"{OPENAI}/chat/completions", json=body, timeout=30, headers={"Authorization": f"Bearer {OPENAI_KEY}", "Content-Type": "application/json"})

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill markets itself as '100% local-first' and 'zero cloud cost, zero API keys required,' yet the same file advertises optional remote LLM fallbacks using OpenAI/OpenRouter and references remote providers. While optional cloud support is not inherently malicious, this mismatch can mislead users into enabling a component with broader data exposure and network behavior than expected, especially for a memory plugin that processes conversations and workspace files containing sensitive information.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file hardcodes an OpenAI API base URL and reads an API key even though the advertised skill description says it is 100% local-first and requires zero API keys. This discrepancy is security-relevant because operators may trust the description and run the benchmark without realizing it can use external cloud services and credentials.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The nano_judge function sends the benchmark question, expected answer, and actual answer to OpenAI for evaluation. In context, those fields can contain sensitive operational and personal information from stored sessions, so this is real off-device disclosure inconsistent with the skill's local-only framing.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Accessing OPENAI_API_KEY from the environment is not inherently malicious, but in a supposedly zero-key local memory system it is unjustified and increases risk of unexpected cloud use. The danger comes from silent credential consumption that may surprise users and enable external transmission of benchmark data.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
On correction detection, the code writes a snippet of raw user content into a workspace-controlled `.learnings/LEARNINGS.md` file, creating a new persistent artifact outside the primary memory/database path. This expands data propagation and retention without clear consent, sanitization, or tight scoping, so sensitive or proprietary user input may be copied into files that other tools, humans, or later agent runs can consume.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The README markets the system as having 'Zero cloud dependency' and being '100% local,' yet later documents OpenAI use and fallback chains that can send data to external services. This can mislead operators into deploying the tool under incorrect privacy and compliance assumptions, especially for a memory system that stores potentially sensitive user facts.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The default configuration includes OpenAI as a fallback provider, which means prompts may be transmitted off-host if the local provider fails. In a component marketed as '100% local-first' and 'zero API keys required,' this creates a real data-handling risk because sensitive memory content could be sent to a cloud service without users realizing the default behavior permits it.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
This provider performs remote calls to Anthropic and requires an API key, which conflicts with the skill's advertised '100% local-first' and 'zero API keys required' posture. In an agent skill, this mismatch is security-relevant because users may unknowingly send prompts and potentially sensitive memory content to a third-party cloud service under false assumptions of local-only processing.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The cooldown query logic appears inverted relative to the comment and intended behavior. Using `last_accessed_at IS NULL OR last_accessed_at >= ?` selects facts accessed recently, which can cause the system to repeatedly revise hot memories instead of waiting for a cooling-off period, leading to unintended churn and integrity degradation of stored memory.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The MD→DB sync imports arbitrary bullet points from workspace markdown into the memory database with minimal validation and no trust boundary checks. Any process, plugin, or attacker able to modify those markdown files can poison agent memory with false instructions, sensitive bait, or persistence content that may later influence model behavior.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill advertises itself as '100% local-first' and requiring 'zero API keys,' but its default fallback chain includes OpenAI and will use an API key from the environment if present. That creates a real security and trust issue because sensitive prompts, memory content, or derived facts may be sent to a remote provider contrary to user expectations and deployment policy.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The embedding fallback logic silently adds OpenAI embeddings when an API key is available, despite the product description claiming local-first operation. Embedding requests can transmit user content or memory facts to a third party, so this is a real data exposure risk and materially contradicts the stated trust boundary.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
Auto-promoting learned procedures into skill files expands the component from passive memory into autonomous code or capability generation. In an agent environment, writing new skill files can create persistence, privilege expansion, or unsafe behavior if learned procedures are influenced by untrusted conversation/tool output.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The recall hook does more than retrieve context: it mutates memory state via access tracking, feedback recording, budget learning, lifecycle updates, and also launches an asynchronous revision task. In a pre-prompt hook, these side effects can make merely viewing or prompting against memory alter long-term state, creating integrity and auditability risks and making prompt-triggered behavior less predictable.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The hook can append a self-observation profile directly into the prompt context without any apparent minimization, consent, or sensitivity filtering. If the self-observer stores internal heuristics, past failures, hidden instructions, or other sensitive agent metadata, this broadens prompt exposure and may leak internal state to downstream model processing.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The install instructions recommend piping a remotely fetched script directly into bash, and the text states that the script auto-configures openclaw.json and performs other system-changing actions. This removes an opportunity for the user to inspect what will run and what files will be modified, creating a supply-chain and arbitrary code execution risk if the remote script or hosting path is compromised.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation says existing cortex.db data is detected and migrated automatically on first startup with zero user action. Automatic modification of existing databases without an explicit backup and confirmation warning can cause accidental data corruption, irreversible migration mistakes, or unexpected changes to user state.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples show API keys embedded directly in configuration snippets without any warning about secret handling. Users may copy these patterns into tracked config files, logs, screenshots, or shared repos, leading to credential disclosure and unauthorized use of paid or sensitive AI services.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README prominently advertises real-time capture via `message_received` and `llm_output` hooks, but does not pair that claim with a clear privacy warning about what data is collected, when collection occurs, retention behavior, or how users can disable it. For a memory plugin that records live conversation content, this omission can lead users to unknowingly capture sensitive prompts, credentials, proprietary code, or personal data during normal use.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The architecture section states `Sync .md → Auto-regen`, indicating facts may be written back into workspace markdown files, but the README does not clearly warn that memory contents can be materialized into user files. This creates risk of unintentionally exposing sensitive conversation-derived data inside repositories or working directories, where it may later be committed, indexed, shared, or read by other tools.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script silently reads an API key from the environment for outbound use without warning the operator. In a benchmark that otherwise looks local, this lack of disclosure materially increases the chance of unintended credential use and undisclosed third-party processing.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The benchmark transmits questions, expected answers, and model outputs to OpenAI with no user-facing notice. Because the benchmark corpus includes personal data, compensation data, employment status, tokens, and infrastructure identifiers, this creates a real confidentiality risk if run on non-synthetic or mixed data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The hook sends recent conversation text to `extractLlm.generateWithMeta(...)` for fact extraction, but this code contains no consent gate, no locality enforcement, and no redaction before transmission. Although the skill markets itself as local-first, `LLMProvider` is abstract and could be backed by a remote provider, so sensitive user/assistant content may be exfiltrated without clear warning or policy control.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Compaction summaries are also forwarded to `extractLlm.generateWithMeta(...)` without code-level checks that the provider is local, approved, or that the summary is sanitized. Summaries can still contain condensed secrets, credentials, personal data, or strategic context, so transmitting them externally creates a confidentiality risk even if the source text is shorter than full conversation history.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal