Security audit

Membox Cloud Sync

Security checks across malware telemetry and agentic risk

Overview

Membox Cloud Sync is a coherent instruction-only skill for encrypted OpenClaw memory backup, sync, pairing, and restore, with sensitive actions disclosed and bounded by user/session checks.

Install only if you trust Membox and the @membox-cloud/membox plugin. Do not paste passphrases, recovery codes, recovery bundles, or plaintext memory into chat; keep secret files local with strict permissions; review any scheduled sync before enabling it; and verify the service endpoint if you use self-hosting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill enables implicit invocation with no trigger constraints, so the agent may auto-activate this skill in contexts where the user did not clearly request cloud sync or memory restoration. Because the skill operates on sensitive memory data and explicitly handles installation, pairing, sync, and restore workflows, unintended invocation could expose users to unnecessary security-sensitive actions or confusing prompts around secret material.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal