ClawHub

Auto Reflection

Security checks across malware telemetry and agentic risk

Overview

This is mostly a local reflection logger, but it has review-worthy risks from automatic persistent logging and an installer bug that can write outside the intended workspace.

Review and patch install.sh before installing, especially the undefined RESEARCH_DIR rsync block. Set OPENCLAW_WORKSPACE explicitly, avoid the unpinned curl-to-main install path where possible, and only enable hooks if you are comfortable with task context, errors, and decisions being written to local reflection files. Do not log secrets, credentials, private prompts, customer data, or sensitive internal details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to enable automatic hooks that write tool and subagent context to local reflection files, but it does not prominently warn that ongoing command context, decisions, errors, and possibly sensitive task data will be captured automatically. This creates a real privacy and security risk because secrets, file paths, internal prompts, or user data could be persistently logged without clear informed consent or guidance on redaction/retention.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The examples instruct persistent writes of reflections but do not clearly warn that task context, decisions, outcomes, and lessons are stored in local files. This can cause users or agents to persist sensitive workflow data without understanding the retention behavior, increasing privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script persists user-provided context, decisions, outcomes, and error messages directly to a workspace file without any notice, consent, redaction, or sensitivity checks. In an agent setting, those fields can easily contain secrets, personal data, internal prompts, tokens, paths, or confidential task data, creating a privacy and data-retention risk if logs are later accessed, synced, or exfiltrated.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script persists potentially sensitive operational data such as task details, context, decisions, outcomes, and errors to a workspace file by default, with no consent prompt, retention control, redaction, or access restriction. In an agent environment, these fields can easily contain secrets, internal paths, user content, or security-relevant failure details, so silent disk persistence increases the risk of unintended disclosure.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill's core purpose is to record errors, decisions, and work patterns into memory files, which creates a built-in channel for retaining potentially sensitive user or operational data. Because no scoping, minimization, or redaction guidance is provided, normal use could unintentionally store confidential information persistently.

Ssd 3

Medium
Confidence
95% confidence
Finding
The command examples pass free-form fields such as context, decision, outcome, and lessons directly into a persistence mechanism, encouraging storage of arbitrary text. In practice, these fields are likely to contain sensitive prompts, task details, file names, business logic, or incident context, making this a meaningful data-retention vulnerability.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal