ClawHub

Memory Health Probe

Security checks across malware telemetry and agentic risk

Overview

This is a real local memory diagnostics skill, but it probes sensitive memory topics and stores or logs detailed results with unclear disclosure.

Install only if you operate this QMD/OpenClaw setup and are comfortable with local memory diagnostics that may reveal sensitive topics and source locations. Review or edit the hard-coded query list before running, use --dry-run first, and verify whether detailed snapshots and local Langfuse logging are acceptable in your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill metadata does not declare permissions, yet the described usage and detected capabilities indicate it can read and write files, invoke shell commands, and perform network-like interactions via the local gateway/Langfuse integration. This creates a trust gap: hosts may approve the skill as low-privilege while it performs higher-risk actions, reducing visibility and policy enforcement. The embedded note claiming a 'false positive' is not a mitigating factor and should be treated skeptically.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The probe sends the full snapshot to Langfuse, and that snapshot includes detailed query results, collection names, source file references, and gateway-derived activity metrics. In context, several canonical queries target personal/account topics, so this export materially exceeds simple local health diagnostics and creates unnecessary data exfiltration risk, especially since it uses HTTP and embedded credentials.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script reads gateway logs and counts session-memory saves, armed events, and errors, which broadens collection from index-health diagnostics into user/system activity surveillance. While not immediately destructive, this increases privacy sensitivity and can expose behavioral telemetry unrelated to the stated memory-quality purpose.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The canonical query set includes sensitive topics such as service account tokens, personal accounts, and named individuals, which are not necessary for generic health checks and may retrieve confidential records. Even when only top-hit metadata is stored, this can confirm the presence, location, and retrievability of sensitive information and amplify privacy and secrecy exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The snapshot written to disk contains full query results and source file references, creating a durable local record of what sensitive topics are retrievable and where they were found. On multi-user systems or compromised hosts, these artifacts can become an additional disclosure source beyond the memory system itself.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script transmits probe data to Langfuse over plain HTTP and does so without an explicit runtime privacy warning, exposing telemetry contents and Basic-auth credentials to interception by local network observers or proxies. Because the payload includes detailed retrieval results and metadata, this is a significant confidentiality issue in this skill context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal