ClawHub

Cognitive Topology

Security checks across malware telemetry and agentic risk

Overview

This skill does useful parallel task splitting, but it also automatically stores task text and branch conclusions in long-term local memory without a clear opt-in.

Install only if you are comfortable with subagents writing local workspace files and with integrations being saved into long-term local memory. Avoid using it on secrets, personal data, private business material, or regulated content unless you first disable or gate ct_archive.py, add redaction, and confirm the /root/.openclaw paths are the intended workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs use of file reads, file writes, and shell commands but declares no permissions, creating a capability/transparency gap. This is dangerous because reviewers and users cannot accurately assess what the skill can access or modify, and shell/file operations increase the risk of unintended data exposure or filesystem changes.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script persists branch conclusions into global long-term memory files under /root/.openclaw/workspace, which is broader than the skill's stated role of splitting tasks, collecting branch outputs, and integrating results. Because branch conclusions and task text may contain sensitive user data, this creates durable cross-session retention without clear necessity, consent, or scope limitation.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The implementation goes beyond the described topology workflow by copying task and branch-derived content into separate persistent stores. That scope expansion matters because it silently turns transient reasoning artifacts into durable memory, increasing privacy risk and enabling unintended reuse of prior user content.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The script silently performs long-term archival after integration, which exceeds the narrowly described role of producing a synthesis. In an agent setting, automatic persistence of aggregated branch outputs can store sensitive user/task data beyond the user's expectation, increasing privacy and data-retention risk.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
Launching a second script to perform archival adds hidden capability beyond integration and creates an additional execution path that inherits untrusted topology-derived input. While not shell-injectable here, this expands the attack surface and makes it easier for downstream code in ct_archive.py to mishandle data from attacker-controlled files.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation criteria are broad terms like 'complex', 'multi-angle', and user phrases such as 'branch analysis' or 'multithread', which can trigger the skill in many ordinary contexts. This can cause unnecessary spawning of subagents and persistent file operations on tasks that did not warrant decomposition, increasing risk of excess data propagation and unintended side effects.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill tells branches to write conclusions to persistent local files under ~/.openclaw/workspace/cognitive-topology/branches without a clear user-facing warning. This is risky because user data, analysis content, or sensitive task material may be stored on disk beyond the immediate interaction, creating retention and privacy concerns.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly instructs branch agents to write output under /root/.openclaw/workspace and to execute helper scripts afterward, which normalizes filesystem modification in a privileged-looking path without any user-consent, sandbox, or path-safety guidance. In an agent skill that spawns parallel sessions and aggregates their outputs, this increases risk because multiple sub-agents may autonomously create or overwrite files, making unintended state changes and abuse of trusted workspace locations more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script appends to MEMORY.md automatically once branch summaries exist, with no prompt, dry-run mode, or confirmation step. Silent modification of persistent memory is dangerous because users may not realize their task content and conclusions are being stored permanently, making accidental disclosure and policy violations more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script creates and appends daily snapshot files automatically, further widening the persistence surface beyond a single memory file. This increases the chance of sensitive data proliferation, backup exposure, and retention beyond what users expect from a topology orchestration skill.

Ssd 3

Medium
Confidence
91% confidence
Finding
The script is explicitly designed to archive task and branch conclusion content into long-term plain-text memory files. In this skill context, branch outputs may include sensitive prompts, analysis, proprietary data, or personal information, so storing them in readable persistent files materially raises confidentiality and retention risk.

Ssd 3

Medium
Confidence
94% confidence
Finding
The code writes the full task text and summarized branch conclusions into MEMORY.md and later into daily logs without any sensitivity screening. Even if intended for convenience, this can leak secrets, personal data, or confidential work products into durable shared storage that may be accessed by other tools or future sessions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal