2026 02 10 Clawhub Clawvault 1.5.1

Security checks across static analysis, malware telemetry, and agentic risk

Overview

ClawVault mostly matches its memory purpose, but one file-writing path appears not safely confined to the vault and should be reviewed before use.

Use ClawVault only with a dedicated vault path, avoid storing secrets, keep repair-session backups enabled, and do not let an agent run storage commands with arbitrary category/path-like values until the path containment issue is fixed.

Static analysis

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ASI02: Tool Misuse and Exploitation

Medium

What this means

A crafted category such as one containing parent-directory components could cause the agent to create, and with overwrite enabled replace, markdown files outside the intended vault.

Why it was flagged

The vault write path is assembled from a caller-supplied category without an evident allowlist, normalization, or check that the result remains under the configured vault path.

Skill content

const { category, title, content, frontmatter = {}, overwrite = false } = options; ... const relativePath = path.join(category, filename); const fullPath = path.join(this.config.path, relativePath); ... fs.writeFileSync(fullPath, fileContent);

Recommendation

Validate categories against an allowlist or normalize and reject any resolved path that is not inside the vault before writing.

ASI05: Unexpected Code Execution

Low

What this means

Installing or using this skill can run the locally installed qmd program and pass it vault/indexing arguments.

Why it was flagged

The CLI launches the external qmd binary as part of its documented search/indexing workflow.

Skill content

const proc = spawn('qmd', args, { stdio: 'inherit' });

Recommendation

Install qmd only from a trusted source and keep the vault path scoped to the documents you intend to index.

ASI08: Cascading Failures

Medium

What this means

A repair operation changes the conversation state future agent runs may depend on, even though backups are created by default.

Why it was flagged

The session repair feature backs up and then rewrites an OpenClaw session transcript, removing/relinking entries.

Skill content

fs.copyFileSync(filePath, backupPath); ... fs.writeFileSync(filePath, repairedLines.join("\n") + "\n");

Recommendation

Use dry-run first, keep backups enabled, and repair only the specific session you intend to modify.

ASI03: Identity and Privilege Abuse

Medium

What this means

The skill can inspect local agent session metadata/transcripts for its repair workflow, which may contain sensitive conversation context.

Why it was flagged

The repair utilities access local OpenClaw agent session directories under the user's home directory.

Skill content

function getOpenClawAgentsDir() { return path.join(os.homedir(), ".openclaw", "agents"); }

Recommendation

Run session repair only when needed, prefer explicit agent/session IDs, and avoid using it on profiles you do not want the tool to inspect.

ASI06: Memory and Context Poisoning

Medium

What this means

Private notes or instruction-like content saved in the vault may be surfaced to future agent sessions.

Why it was flagged

The skill intentionally stores persistent memory, checkpoint state, people/projects, and handoffs for reuse across sessions.

Skill content

vault/ ├── .clawvault/ # Internal state │ ├── last-checkpoint.json ... ├── people/ ... ├── projects/ ... ├── handoffs/

Recommendation

Keep the vault in a dedicated location, avoid storing secrets, and review retrieved memory before relying on it for important actions.

ASI10: Rogue Agents

Low

What this means

If the hook is installed and enabled, it can automatically add recovery context and checkpoint data to agent sessions.

Why it was flagged

The package includes optional OpenClaw hook behavior that can persist across events and inject recovery context when enabled.

Skill content

`gateway:startup` event: Detects if previous session died, injects alert into first agent turn ... `command:new` event: Auto-checkpoints before session reset

Recommendation

Enable the hook only if you want automatic context recovery, and review hook behavior/configuration before relying on it.

ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Global package installation runs third-party code on the user's machine.

Why it was flagged

Setup depends on globally installed external packages, including qmd from npm or GitHub.

Skill content

npm install -g clawvault ... bun install -g github:tobi/qmd

Recommendation

Verify the package source/version before installing globally and prefer pinned, trusted releases where possible.