Back to skill

Security audit

2026 02 10 Clawhub Clawvault 1.5.1

Security checks across malware telemetry and agentic risk

Overview

ClawVault is a real local memory tool, but it needs review because it stores and displays session identifiers and includes broad file, Git, and transcript mutation features beyond simple memory search.

Review before installing. Use a dedicated vault path, do not store secrets or customer/private data in memories, avoid --urgent with sensitive checkpoint text, inspect clawvault shell-init before appending it to shell startup files, avoid sync --delete unless the target is a dedicated mirror, and use --no-git on sleep unless you explicitly want ClawVault to offer repository-wide commits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (26)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill description materially understates the breadth of behavior: besides memory storage/search, the documentation indicates shell startup modification, session file repair, link rewriting, health checks, possible git interactions, hooks, and filesystem sync/copy behavior. This mismatch is dangerous because users and higher-level policy systems may grant trust based on the narrow description while the tool performs broader state-changing actions on local files and shell configuration.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The sync method accepts an arbitrary target path and will copy vault markdown files there, and optionally delete orphaned markdown files in that target. Because there is no restriction that the destination be inside a trusted workspace or explicitly approved sync root, a caller can cause unintended modification of unrelated directories, which exceeds a typical memory/search skill’s expected scope and increases filesystem risk.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The sleep command goes beyond memory/checkpoint behavior by staging all repository changes and creating a Git commit. In an agent context, this is a powerful side effect that can persist unrelated work, secrets, or accidental modifications without being clearly justified by the skill's stated purpose. Even though it asks for confirmation in interactive mode and uses execFileSync safely with argument arrays, the capability itself is broader than expected and can cause integrity and confidentiality issues.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code invokes local Git subprocesses to inspect repository state and optionally mutate it, which is an unjustified capability for a memory-storage skill. In a local agent environment, subprocess-backed repository management expands the trust boundary: the skill can inspect project state and persist changes outside its vault, increasing the risk of unintended commits of sensitive or unrelated files.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The urgent checkpoint path launches an external `openclaw` CLI and sends checkpoint-derived text to another process, which extends this command beyond local persistence into cross-process data transmission. Although `execFileSync` is used safely with argument arrays rather than a shell, this still creates a trust-boundary crossing and can leak sensitive task context unexpectedly, especially if `openclaw gateway wake` forwards data to a remote service.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code reads session metadata from environment variables, including `OPENCLAW_SESSION_KEY`, and incorporates it into checkpoint state. In a memory/checkpoint skill, pulling secret-bearing environment data into application state increases the chance of inadvertent exposure and broadens access to sensitive runtime credentials beyond their original purpose.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The checkpoint data structure includes `sessionKey`, and `writeCheckpointToDisk` persists the entire object as plaintext JSON. Storing a session key on disk creates a durable secret exposure risk: any local user, backup system, log collector, or later compromise of the vault directory could recover credentials and potentially hijack or correlate sessions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The sleep command goes beyond creating memory/checkpoint artifacts and conditionally performs repository-wide Git operations by locating the repo root, staging all changes with `git add -A`, and committing them. In a memory-storage skill, this is an over-broad side effect that can capture and persist unrelated user changes, secrets, or work in progress, making the capability unjustified and potentially harmful even though it is user-confirmed in interactive mode.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code executes `git add -A` and `git commit -m` subprocesses, which directly modify the user's repository state. Because this skill is described as a structured memory/checkpoint system, the ability to alter arbitrary repo contents is a dangerous mismatch in capability: it can unintentionally commit unrelated files, sensitive data, or partial work, and users may not appreciate the full scope of what is being committed.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The status command traverses upward to find any enclosing Git repository and reports repository cleanliness and dirty file counts, which expands visibility beyond the vault itself. In an agent setting, this can disclose the existence and state of unrelated project files to prompts or downstream tools, creating unnecessary workspace information exposure outside the skill's stated memory-management scope.

Description-Behavior Mismatch

Low
Confidence
76% confidence
Finding
The formatted status output includes checkpoint session metadata such as sessionKey, model, timestamp, and token estimates. While not directly enabling code execution, this may leak internal conversation/session identifiers and operational metadata to users, logs, or other agents without a clear need, increasing the risk of unintended information disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README broadly encourages agents to persist memories across sessions but does not warn users not to store secrets, credentials, personal data, or regulated information. In an agent-memory skill, that omission is security-relevant because it normalizes long-term retention and searchability of sensitive data, increasing the chance of accidental disclosure or misuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The session handoff examples encourage recording operational context such as current work, blockers, next steps, and decisions, which often contain internal system details, credentials-by-reference, customer data, or deployment context. Without any warning or sanitization guidance, users may persist sensitive operational state into local markdown files and indexes that can later be searched or exfiltrated.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The shell integration example shows `clawvault shell-init >> ~/.bashrc`, which appends to a shell startup file, but the documentation does not prominently warn that this persistently changes the user's shell environment. That omission can lead to unintended persistence, surprise command behavior, and harder incident cleanup if the generated content is incorrect or later abused.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The repair-session documentation says 'Fix it' and notes backups are created automatically, but it does not clearly emphasize that non-dry-run execution modifies session files. For a tool that repairs transcripts and parent-chain references, silent mutation of historical session data can affect forensic integrity, auditability, and user trust if operators assume it is read-only.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
When deleteOrphans is enabled, the code enumerates all markdown files under the target and unlinks any file not present in the source set, with no built-in confirmation, allowlist, or safety boundary checks. If the target is misconfigured or attacker-influenced, this can delete legitimate user content from an arbitrary directory tree.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Checkpoint data includes session identifiers, session keys, model metadata, and token estimates, and this information is written in plaintext JSON under the vault directory. In a memory/checkpointing skill, persisting operational secrets and session linkage data to disk can expose sensitive credentials or aid session hijacking if the local filesystem is accessible to other users, malware, backups, or logs.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The urgent checkpoint path can trigger an external CLI action immediately, which may initiate networked or cross-process behavior without clear user awareness. In the context of a structured memory skill, silently escalating from local checkpointing to an external wake action is surprising and increases the risk of unintended data disclosure, automation, or trust-boundary crossing.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documented `emergency-save` flow explicitly reads a session transcript file and extracts recent messages, which can include prompts, secrets, personal data, and other sensitive operational context. In a memory/persistence skill, automatic crash-time parsing without a clear privacy warning, consent model, retention limits, or redaction guidance increases the chance that sensitive transcript data will be collected and persisted unexpectedly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The hook documentation states it runs on gateway startup and `/new`, but it does not clearly warn users that these events automatically trigger checkpoint/recovery actions that write or clear state. In a memory and transcript-management skill, undisclosed automatic state modification can affect privacy, surprise users, and alter session behavior without informed consent, especially during startup or reset flows.

Vague Triggers

Low
Confidence
96% confidence
Finding
The lockfile pins a direct dependency, `qmd`, to a GitHub repository via `github:tobi/qmd` instead of a normal registry release. Git-based dependencies bypass some of the normal npm publication and provenance controls, can pull in complex install-time behavior from an external repo, and in this case introduce a large transitive tree including native/build-time components and install scripts, increasing supply-chain risk for an agent skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code writes session identifiers and potentially session keys to disk without any user-facing notice or consent mechanism. The lack of transparency is dangerous because users may reasonably expect a checkpoint feature to save task state, not sensitive authentication or correlation data, leading to accidental long-term credential retention.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Urgent mode sends checkpoint-derived content such as `workingOn`, `focus`, and `blocked` to an external CLI without a user-facing warning. In the context of a memory/checkpoint skill, these fields may contain sensitive project details, incident data, credentials pasted by mistake, or proprietary context, so silent transmission to another component or service is a meaningful privacy and security risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
In verbose mode, the command prints full checkpoint JSON and raw handoff content directly to CLI output, which can expose session keys, model metadata, task context, and potentially sensitive user or agent data to terminal logs, shell history capture tools, CI logs, or other observers. In a memory/recovery skill, this is more dangerous because the feature is specifically designed to persist and restore rich context, making accidental disclosure of secrets or sensitive operational state more likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The sync method can delete orphaned Markdown files from an arbitrary target path whenever deleteOrphans is enabled, with no built-in validation, confirmation gate, or restriction that the target be a dedicated vault mirror. In an agent skill that manages persistent memory and filesystem content, a mistaken or attacker-influenced target path could cause unintended data loss in user directories or other note repositories.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
bin/clawvault.js:85

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/chunk-VJIFT5T5.js:95

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/commands/status.js:45

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
hooks/clawvault/handler.js:8

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/commands/status.ts:81

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/lib/search.ts:95