ClawHub

Hermes Features for OpenClaw

Security checks across malware telemetry and agentic risk

Overview

The skill is openly about agent self-improvement and memory, but it grants broad automatic session review, persistent user-memory storage, and skill-changing behavior with weak user control and retention boundaries.

Install only if you intentionally want an agent that reviews prior sessions, writes persistent memory and profile files, archives overflow data, and can create or apply skills. Before use, require explicit approval for skill application and memory writes, define retention and deletion rules, exclude sensitive sessions or secrets, and verify that cron/heartbeat automation can be disabled or audited.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly states that the system 'creates skills or memory entries automatically' based on reviewed sessions, but it does not mention any user notification, consent, approval boundary, or audit controls around those autonomous modifications. In a self-improving agent and persistent-memory context, automatic writes can silently store sensitive session content, encode unsafe behaviors into reusable skills, or alter future agent behavior without the operator realizing it.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README describes automatic overflow archiving for core memory, user profile data, journals, and working buffers, but gives no privacy, retention, deletion, or access-control warning. This creates a real risk that sensitive or regulated data thought to be transient will instead be preserved indefinitely in archive locations, expanding the attack surface and complicating compliance and incident response.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill states that it 'runs automatically' via a cron job and heartbeat integration, but it does not define clear trigger conditions, scope limits, or guardrails for when autonomous review, memory updates, and skill creation should occur. In an agent context, broad automatic activation increases the risk of unintended data processing, excessive writes, and autonomous behavior outside user expectations, especially because the skill also persists and archives session-derived information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes automatic creation of memory entries, persistent storage, and overflow archival of user-related information without a clear warning, consent model, or retention explanation. This is dangerous because users may not realize that session content and profile data can be automatically written to long-lived files and archives, creating privacy, compliance, and data-minimization risks if sensitive information is captured or retained unexpectedly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly allows pending skills to be applied automatically after 24 hours, which changes agent behavior without requiring contemporaneous, explicit user approval. In a self-modifying agent context, this can silently expand capabilities or embed flawed workflows, making later actions harder for the user to understand or control.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The heartbeat section directs the agent to review sessions and create skills or update MEMORY.md during ordinary interactions, but it does not require a visible warning or consent before persisting data or altering behavior. Because this occurs inline in the main session context, users may not realize that normal conversation can trigger durable state changes.

Ssd 3

Medium
Confidence
88% confidence
Finding
These instructions promote extracting and storing broad session-derived information, including user corrections, workflows, and discovered tools, into long-lived memory and journals. Even without explicit exfiltration, this semantic retention increases privacy risk because sensitive or contextual user information may be preserved beyond the original interaction and later resurfaced inappropriately.

Ssd 3

Medium
Confidence
95% confidence
Finding
The overflow design and 'never delete' retention model encourage indefinite preservation of user and memory details, including profile and project-specific information. Long-term archival increases the chance that sensitive data is retained unnecessarily, later retrieved out of context, or exposed through future prompts, tools, or compromised components.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal