ClawHub
Back to skill

Security audit

ClawMind

Security checks across malware telemetry and agentic risk

Overview

ClawMind largely matches its self-evolving memory-agent purpose, but it can persist user/task content and generate new skill files without clear approval or disclosure.

Install only if you are comfortable with persistent local memory and under-disclosed generated-skill/profile behavior. Avoid storing secrets or confidential task details, inspect the OpenClaw workspace files it creates, and require explicit review before any auto-created skill or USER.md entry is reused.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The code creates a dedicated skills directory and persists auto-generated skill artifacts to disk, which is a significant capability expansion beyond the described ClawMind functions. In an agent environment, autonomous creation of executable/prompt-bearing skill files can enable persistence, unreviewed behavior changes, and propagation of unsafe instructions derived from task content.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The functions append arbitrary key/value data to a global USER.md profile file, introducing persistence and modification of user state not clearly justified by the manifest. This creates a cross-session data integrity and privacy risk because task-derived or attacker-influenced content can be stored indefinitely and later affect agent behavior.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The save path writes new .skill and metadata files automatically whenever the heuristic decides to create a skill, without an authorization boundary. In a skill-based agent system, this is dangerous because it establishes persistent, self-extending behavior from prior task content, which can be poisoned to create misleading or unsafe future skills.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger text is broad enough to activate on generic requests involving autonomy, decisions, memory, or self-improvement. Over-broad activation increases the chance this powerful stateful skill runs in inappropriate contexts, causing unnecessary persistence, task steering, or file changes where a simpler, safer skill should have been used.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code writes skill and metadata files silently, with no user-facing disclosure or confirmation. Silent persistence is risky in agent workflows because users may be unaware that their task data is being converted into reusable artifacts that can influence later execution.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
User profile updates are appended automatically and invisibly, so users are not informed that durable profile state is being changed. This is dangerous because profile poisoning or accidental sensitive data retention can alter future behavior and expose private information across sessions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill persists arbitrary conversation text to a fixed SQLite database path without any consent flow, warning, minimization, or retention control. In an agent context, users may provide secrets, tokens, personal data, or sensitive work content that will be stored and later retrievable, increasing privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script persistently writes operational state to a fixed workspace file under /home/node/.openclaw/workspace/state/current_state.json without any consent, disclosure, integrity checks, or access-control hardening. In an agent environment, this can expose task history, reflections, project names, and behavioral metadata to other local components or users, and it creates a durable record the user may not expect.

Ssd 3

Medium
Confidence
98% confidence
Finding
The engine embeds up to 500 characters of task context into generated prompts and persists that content in skill files and metadata. This creates a straightforward data retention and leakage path for user-supplied secrets, proprietary data, or prompt-injected instructions, especially because future runs may reuse the stored text.

Ssd 3

Medium
Confidence
97% confidence
Finding
Appending arbitrary key/value content to USER.md allows unrestricted accumulation of plain-text personal or sensitive data in a persistent file. Because the inputs are not validated or minimized, this can store secrets, private preferences, or attacker-controlled text that later influences model behavior or is exposed to other components.

Ssd 3

Medium
Confidence
95% confidence
Finding
The code stores raw conversation text verbatim in conversation_log and later recalls derived experience content, creating a persistent data-retention and resurfacing channel. In a self-evolving memory skill, this is more dangerous because sensitive prompts, credentials, internal URLs, or private user content may be unintentionally retained and reintroduced into future agent context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal