ClawHub

TDaí Memory Suite

Security checks across malware telemetry and agentic risk

Overview

This memory skill mostly matches its purpose, but it also modifies host OpenClaw files and includes under-disclosed remote/cloud paths for sensitive memory data.

Install only if you are comfortable with a memory plugin that records conversations persistently and may alter OpenClaw behavior. Use the default SQLite mode for local storage, avoid enabling Tencent Cloud, remote embedding, or offload unless you intentionally want memory data sent to those services, and review the postinstall patch script before allowing it to modify your OpenClaw installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (131)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
stdout_target = subprocess.DEVNULL
                stderr_target = subprocess.DEVNULL

            self._process = subprocess.Popen(
                shlex.split(self._gateway_cmd),
                env=env,
                stdout=stdout_target,
Confidence
94% confidence
Finding
self._process = subprocess.Popen( shlex.split(self._gateway_cmd), env=env, stdout=stdout_target, stderr=stderr_target,

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
Claiming the suite is fully local while also documenting a Tencent Cloud Vector Database backend creates a misleading trust boundary. Users may store sensitive long-term memories believing they remain on-device, when configuration or future defaults could route them to an external service.

Intent-Code Divergence

Low
Confidence
82% confidence
Finding
Saying no separate API key is needed while also mentioning Tencent Cloud vector database support can mislead users about whether third-party service configuration, credentials, or network egress may be involved. The direct technical impact is lower than a code execution flaw, but it weakens informed consent and safe deployment decisions for memory data.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code claims to operate locally, but `SentenceTransformer(model_name, trust_remote_code=True)` may download model assets on first run and execute Python code supplied by a remote model repository. This breaks the local-only trust boundary and creates a supply-chain execution risk if the upstream repository is compromised or changed.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The module documentation states the visualizer is local-only, but the implementation may fetch model artifacts remotely during initialization. This is a security-relevant documentation mismatch because users may run the tool in sensitive environments assuming no outbound network activity or supply-chain exposure.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
`trust_remote_code=True` allows execution of custom code from the model repository, which is unnecessary for a memory visualization feature and materially increases attack surface. In a local memory tool, this is especially risky because the process handles potentially sensitive stored memory data and runs with the user's filesystem permissions.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file’s header and metadata promise a fully local, zero-external-dependency memory system, yet the implementation conditionally enables remote offload/profile sync paths. That mismatch is security-relevant because operators may deploy it under incorrect trust assumptions, causing sensitive conversation-derived memory data to leave the local machine when certain config flags are set.

Intent-Code Divergence

Medium
Confidence
73% confidence
Finding
The comment claims warmup is deferred to avoid downloads during CLI use, but register() still performs initialization that can touch remote-capable components earlier in startup, including profile sync and offload registration. This can violate user expectations and trigger network activity before a real conversation, which is especially risky in a plugin handling sensitive memory content.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The package metadata markets the plugin as having 'no external API dependencies' and being 'fully local', yet the manifest includes an OpenAI SDK dependency and Tencent vector DB migration/export tooling. Even if those features are optional, this is a security-relevant misrepresentation because operators may deploy the skill under an incorrect trust assumption, exposing memory data to external systems or enabling outbound connectivity they did not expect.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code can transmit embedding input text to arbitrary configured remote or proxy endpoints, including via a proxy header that forwards to another remote URL. In a skill marketed as fully local with no external API dependencies, this creates a meaningful privacy and data-exfiltration risk because memory content may include sensitive user prompts, notes, or documents and could leave the host unexpectedly.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This module explicitly implements a Tencent Cloud VectorDB backend, which contradicts the skill’s advertised 'fully local' and 'no external API dependencies' behavior. In a memory system handling conversations and profiles, that mismatch is dangerous because it can cause sensitive data to leave the local machine unexpectedly, defeating user trust, privacy expectations, and deployment assumptions.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
Initialization actively creates a remote database and multiple remote collections, confirming that the component is not merely optional helper code but provisions cloud infrastructure. In the context of a 'complete local memory system,' this is dangerous because first-run setup can silently establish remote persistence for user memories, conversations, and profiles without matching the advertised trust boundary.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The constructor configures a network client with URL, username, API key, database, timeout, and CA path, establishing a cloud-backed storage/search channel inside a skill marketed as local-only. Because this skill processes memory data, the context makes the issue more dangerous: operators may deploy it under the assumption that no external service access is needed, while credentials and memory content are actually routed to a remote system.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file explicitly supports a remote OpenAI-compatible embedding provider and documents that behavior, which conflicts with the skill’s stated "everything runs locally" and "no external API dependencies" positioning. In a memory system, embedding input may contain sensitive user conversations or stored memory content, so undisclosed remote transmission creates a real data-exfiltration and trust-boundary risk.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This code performs outbound network requests for embeddings using arbitrary configured endpoints, sending raw input text to external services. In the context of a local memory suite, that is especially dangerous because memory content is likely to include private prompts, notes, or conversation history that users reasonably expect to remain local.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
This file implements a full HTTP client for Tencent Cloud VectorDB, including authenticated remote requests, retries, and database/document operations. In a skill advertised as a fully local memory system with no external API dependencies for memory extraction, this creates a material trust and data-flow mismatch: memory contents, queries, and metadata may be transmitted to a remote service without users expecting cloud egress.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The code can create databases and collections and perform document operations against a remote Tencent Cloud service. Even if intended for migration or optional integration, this expands the skill's capability beyond a local memory system and increases the chance that sensitive memory data is stored or managed remotely in ways users and operators did not anticipate.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
This file clearly implements a Tencent Cloud VectorDB-backed memory store via networked API calls, which conflicts with the skill’s stated promise that memory extraction runs locally with no external API dependencies. In a memory system, this mismatch is security-relevant because conversation data, profiles, and searchable memory content may be transmitted to a remote service, creating confidentiality, compliance, and trust-boundary risks for users who expect strictly local processing.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script claims local-only operation, but the SentenceTransformer path can fetch model artifacts from Hugging Face and, because remote code is trusted, may execute model-provided Python during load. In a memory visualizer handling sensitive local memory data, this breaks the local-only trust boundary and creates a code-execution and supply-chain risk.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
Using trust_remote_code=True allows arbitrary Python from the model repository to run locally at model load time. That is unjustified for a visualization utility and could let a compromised or malicious upstream model execute code with the user's privileges, including reading memory records or altering local files.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script intentionally patches an externally installed OpenClaw package under its dist directory rather than limiting itself to files owned by this skill. That cross-boundary modification changes host application behavior and expands trust from a local memory component into system-level code tampering, which can expose additional data or create maintenance and integrity risks.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script performs host-wide package discovery using node, which, find, and filesystem traversal, then prepares to modify located package files. For a memory-suite skill, this is broader-than-necessary capability and creates a risky mechanism for altering software outside the skill's own directory, especially when run with elevated privileges.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The script explicitly documents and enables a remote offload backend, which conflicts with the skill metadata claiming a fully local memory system with no external API dependencies. This mismatch can mislead operators into sending memory content, identifiers, and possibly credentials to an external service they did not expect, increasing data exfiltration and trust-boundary risk.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The enable flow writes backendUrl, userId, and backendApiKey into the OpenClaw configuration, thereby operationalizing remote communication and persisting authentication material. In the context of a skill advertised as local-only, this creates a significant transparency and confidentiality issue because users may unknowingly route sensitive memory data to a remote backend.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The skill metadata claims local-only memory extraction with no external API dependencies, but this runner is explicitly configured to send prompts and data to an OpenAI-compatible endpoint using a base URL and API key. In a memory system, prompts may include sensitive user memories, workspace contents, or derived context, so this creates a material risk of unintended external data exfiltration and violates user trust and deployment assumptions.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal