ClawHub

Package

Security checks across malware telemetry and agentic risk

Overview

The plugin matches its memory purpose, but it needs Review because it deliberately hides environment-variable access from scanners and installs an unverified sidecar while retaining and sending conversation history to external AI services.

Do not install this automatically. Review it as a high-privilege memory plugin: it can retain chat history, reuse it in future prompts, use Gemini/OpenRouter credentials, call external AI APIs, and download/execute a sidecar binary. Use separate scoped API keys, avoid regulated or secret-heavy conversations, and prefer waiting for a version that removes scanner-evasion code and verifies downloaded binaries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (43)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The README includes an agent-facing installation prompt that instructs the agent to inspect environment-variable availability and prepare a gateway/system restart. Even though framed as setup guidance, this expands the plugin's operational scope beyond memory management into privileged host actions and credential-aware behavior, which can normalize unsafe automation if copied verbatim into an agent session.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The README says conversations are 'saved locally,' but later explains that chat text is sent to Gemini for embeddings and episode generation. That mismatch can mislead users into believing their data never leaves the machine, creating an informed-consent and privacy risk rather than a purely technical exploit.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The comments explicitly state an intent to obfuscate environment-variable access in order to evade scanner detection, and the code implements that concealment via dynamic property access to process.env. In an agent skill context, hidden access to environment variables is dangerous because those variables often contain API keys, tokens, and other secrets that can be harvested and later exfiltrated.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The function provides generic access to arbitrary environment-variable names with no stated business justification, no scoping, and no guardrails. In a skill environment, this creates a capability to read secrets on demand, which becomes especially risky if combined elsewhere with logging, prompts, or network transmission.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code comments explicitly state that configuration is initialized via an indirection to 'bypass' a scanner, which is a strong indicator of deliberate security-tool evasion rather than an accidental implementation detail. Even though the immediate behavior only reads an environment variable, embedding scanner-evasion logic undermines trust in the component and can conceal riskier behavior from review pipelines.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The comments explicitly describe obfuscating environment variable access to bypass a security scanner, which is a strong indicator of deliberate evasion rather than normal implementation detail. Because environment variables commonly contain secrets, hiding this access pattern materially increases the risk that credential collection or exfiltration logic will evade review and detection.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The retriever injects a high-priority system-style memory preamble telling the model that `ep-recall`, `ep-save`, and `ep-expand` are its dedicated memory tools and that it should prefer them over any other memory tool. In this file, however, only recall and feedback behavior is implemented, so the injected claim can misrepresent tool availability/capability and steer model behavior based on inaccurate authority-bearing instructions.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The `consolidate` method is documented as a deprecated no-op compatibility shim, but it still sends a live `ai.consolidate` RPC and forwards the supplied `apiKey`. That mismatch can cause callers to pass secrets under the assumption nothing happens, leading to unintended secret transmission and invocation of sidecar functionality.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that conversations are persistently stored locally and that text is sent to the Gemini Embedding API for semantic processing, but it does not provide a clear, prominent privacy warning about what data leaves the machine, how long it is retained, or what kinds of conversations should not be stored or transmitted. In an agent memory plugin, users may reasonably assume all memory operations are local unless remote processing is explicitly disclosed, so this omission can lead to unintentional exposure of sensitive conversation content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installation guidance says the Go sidecar will automatically use GEMINI_API_KEY, but does not clearly warn that enabling the plugin causes conversation-derived content to be sent to an external API under that credential. Automatic credential use without a clear disclosure increases the risk of users unknowingly authorizing external transmission of sensitive prompts or chat history.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises automatic conversation saving and prompt injection without an upfront, prominent notice that user chats are being retained and reused. In a memory plugin, silent retention and reinjection increase the chance of storing or resurfacing sensitive information users did not expect to persist.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation explicitly states that chat text is sent to the Gemini API, but this external data transfer is not surfaced as a prominent privacy warning where users would see it before installation. Because the plugin handles conversational history, this can expose highly sensitive personal or business data to a third-party service without sufficiently explicit disclosure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The install guidance says the Go sidecar automatically uses the existing GEMINI_API_KEY, but it does not prominently warn that the plugin depends on access to a sensitive credential. This can cause users to grant or assume broader credential access than intended, especially in agent-driven environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly says the plugin silently stores all conversations locally and injects prior content into the system prompt before replies, but it does not present this as a clear privacy/data-handling warning or require explicit informed consent. This creates a real risk that users will expose sensitive past conversations to later prompts or other local actors without realizing the scope of retention and reuse.

Missing User Warnings

High
Confidence
98% confidence
Finding
The workflow states that user message content is sent to Gemini for embedding generation, but the documentation does not clearly warn that conversation text is transmitted to a third-party provider. That omission can cause unintentional disclosure of sensitive data to an external service, especially in environments where users assume processing is local.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The install section says the sidecar will automatically read GEMINI_API_KEY from the OpenClaw environment, but it does not clearly warn users that the plugin will consume that credential to make outbound API calls. Automatic credential use without prominent disclosure can surprise users and lead to unintended data transfer or billing exposure.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code reads environment variables without any disclosure, warning, or transparency to users or reviewers. Because environment variables commonly store credentials, undisclosed access increases the likelihood of secret collection without informed consent or meaningful review.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This client sends both `params.systemPrompt` and `params.userMessage` to Google's Gemini API, which is an external third-party service, without any visible consent, disclosure, redaction, or policy enforcement in this code path. If upstream callers pass secrets, personal data, or sensitive internal instructions, that data will be transmitted off-system and could violate privacy, compliance, or data-handling expectations.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This code serializes conversation messages to local WAL files, and elsewhere also writes raw conversation logs, which can expose sensitive prompts, tool outputs, credentials, or personal data to disk. Because the data is stored in plaintext in the workspace without clear consent, minimization, encryption, or retention controls at the write sites, local compromise, backup leakage, or cross-user access could disclose highly sensitive session content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The worker reads episode bodies and sends them to external LLM models through client.llmGenerate without any visible consent, disclosure, or data-minimization step in this code path. Because episode content may contain sensitive or personal information, this creates a real privacy and data-handling risk if users do not expect their stored content to be transmitted to third-party inference services.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The summarization prompt is hard-coded in Japanese, which forces output behavior for all content regardless of user preference or workspace language settings. This is primarily a product safety and reliability issue: it can cause mis-summarization, data corruption, or unusable output for non-Japanese content, especially since the worker later deletes the source file regardless of summarization success.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
Guardrail validation is hard-coded to Japanese via checkGuardrailV2(text, "ja"), so non-Japanese summaries may be rejected or coerced into the wrong locale. In this worker's context that is more dangerous because deletion happens regardless of snapshot success, meaning locale mismatches can contribute to silent data loss or failed archival for non-Japanese episodes.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The fallback path writes potentially sensitive unprocessed conversation messages to disk in plaintext under `agentWs` before indexing them. In an agent-memory context, those messages may contain secrets, personal data, or proprietary prompts, so unexpected local persistence increases exposure through local users, backups, logs, or later file disclosure; the lack of any consent/visibility makes this more dangerous because users may assume the data remains transient or in the primary store only.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This function provides generic access to arbitrary environment variables without any disclosure, guardrails, or limitation on which keys may be read. In the context of explicit scanner-evasion comments, the lack of transparency makes secret access more dangerous because callers can retrieve credentials or tokens without clear review signals.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The plugin logs the full session file path during cold-start ingestion, which can reveal usernames, home-directory layouts, workspace locations, and other sensitive filesystem structure. In a memory plugin that processes chat/session history, these logs may be exposed to operators, centralized logging systems, or other plugins, increasing privacy and recon risk beyond ordinary debugging output.

VirusTotal

64/64 vendors flagged this plugin as clean.

View on VirusTotal