ClawHub

OpenClaw Continuity

Security checks across malware telemetry and agentic risk

Overview

This is a real continuity skill, but it persists sensitive personal context and can schedule follow-ups with insufficient consent and scoping controls.

Install only if you want a persistent follow-up/memory layer and can configure it carefully. Before enabling, review where OPENCLAW_STATE_DIR points, disable or tightly gate proactive/heartbeat behavior, require confirmation for health/emotional tracking and settings changes, avoid optional embedding unless you trust the provider and plugin root, and do not expose the file-output or harness helpers to untrusted inputs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill declares required binaries and environment variables, and its documented setup flow invokes shell commands and updates state/config files, but it does not expose a clear permission model for file read/write, env access, or shell execution. This creates a trust gap: a host may grant broader capabilities than users or operators expect, increasing the chance of unintended file modification or command execution through the skill.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose presents the package as a bounded continuity/follow-up layer, but the detected behavior indicates substantially broader authority, including file-moving/trashing workflows, rule engines, recurring task automation, profile/settings rewrites, and semantic extensibility. That mismatch is dangerous because operators may approve or deploy the skill under a narrower mental model, while the actual implementation can affect files, agent behavior, and persistent user state far beyond simple follow-up tracking.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file implements a generic recurring-task subsystem that can create reminder hooks independent of immediate user dialogue continuity. That expands the skill from continuity management into autonomous scheduling, increasing the chance of unwanted or policy-bypassing outbound actions if task definitions are injected or misconfigured.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code scans assistant/model output for self-commitment phrases and turns them into future hooks automatically. This is dangerous because any generated wording like 'I'll check later' can silently create new follow-up obligations and outbound behavior without explicit user authorization, allowing prompt-induced self-triggering loops or hidden persistence.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The post-action rule engine matches arbitrary files and trigger types and returns configurable actions, which materially broadens the skill beyond stated continuity behavior. In a hostile or shared state environment, this creates a generic automation surface that can be repurposed to react to unrelated file events and chain into unintended workflows.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The behavioral-constraints subsystem is a generic policy engine that evaluates arbitrary action types and context keys. Even though framed as safety logic, it introduces a broad control plane that can be manipulated through external constraint data to alter runtime behavior in ways unrelated to continuity, increasing hidden policy complexity and attack surface.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code loads external embedding configuration, resolves API keys from environment/config, and invokes a Node helper to process text for intent classification. This creates a sensitive trust boundary: compromised config or plugin roots could expose secrets or route data to attacker-controlled code/endpoints, while user text is sent through an external embedding path without strong local isolation.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger phrases include common natural-language expressions such as schedule changes, quiet hours, timezone changes, and life events like moving or changing jobs. Because these can appear in ordinary conversation, the skill may incorrectly enter configuration/update flows or rewrite persistent settings based on ambiguous text, causing unauthorized or surprising state changes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document explicitly instructs operators to preserve continuity facts and write structured continuity state into staging, tracked follow-up, and daily-memory paths, but it does not pair this with operator guidance to obtain informed user consent, disclose retention, or define deletion/visibility controls. In a memory-oriented follow-up skill, silent persistence of conversational state can expose sensitive behavioral, health, schedule, or emotional context beyond user expectations, increasing privacy and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This section describes dispatch behavior, proactive timing, and heartbeat-driven background delivery, including isolated background sessions, but does not require a prominent warning that the system may send unsolicited follow-up messages. In this skill context, that is especially sensitive because the package is explicitly designed for continuity, watchful states, and follow-up lifecycle management, so background contact can surprise users, reveal private context on shared devices, or create trust and safety issues if not opt-in and clearly disclosed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly describes proactive follow-up behavior driven by routine schedule data, including wake windows and active-day messaging, but does not pair that capability with clear user-consent, notice, or opt-in guidance. In a continuity/follow-up skill, this increases the chance that operators deploy unsolicited outreach based on inferred or configured personal routine data, creating privacy, trust, and policy-compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The design explicitly stores and carries forward sensitive conversational context, including health and emotional events, across sessions. Without documented consent, retention limits, visibility controls, or user-facing disclosure, this creates a real privacy and data-governance risk because highly sensitive data can persist and be reused in ways the user may not expect.

Missing User Warnings

High
Confidence
98% confidence
Finding
The architecture allows silent automatic creation of health and emotional events by the system, including sensitive inferred states, without notifying the user at creation time. In this skill's context, that is especially risky because the whole feature is designed for longitudinal continuity and follow-up, so undisclosed sensitive profiling can directly affect future agent behavior and persistent records.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The wrapper automatically writes event lifecycle traces to daily memory files whenever events are created, confirmed, completed, or cancelled, but there is no user-facing disclosure or consent gate in this path. Because the stored data can include sensitive titles and user-derived summaries, this creates undisclosed persistent retention of conversation-derived information on disk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script unconditionally moves the specified file and then immediately sends it to the trash without any confirmation, dry-run, or policy check. In an agent context, this can cause unintended data loss, hide outputs from normal workflows, or be abused to disrupt user files if the source path is attacker-influenced.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The harness dynamically imports and executes Python from SCRIPT_PATH, which is sourced from an environment variable. That creates an arbitrary code execution sink controlled by whoever can set the process environment or influence launch configuration, and import-time code runs immediately with the harness's privileges.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The subprocess call executes Node with embedded code and a configurable plugin root, effectively running external code in-process relative to skill operation. If the plugin root or referenced modules are tampered with, this becomes an arbitrary code execution path with access to supplied config, including embedding credentials and user-derived text.

Ssd 3

Medium
Confidence
97% confidence
Finding
The context-building functions reinject stored titles, causes, follow-up text, and suggestion details back into future prompts in plain natural language. This creates a durable data-retention and prompt-exposure channel where past user disclosures may be surfaced in later sessions or contexts beyond the original conversational moment, increasing privacy leakage risk.

Ssd 3

Medium
Confidence
98% confidence
Finding
Automatic detection promotes raw user utterances into persistent `cause_summary` fields and can auto-create events for sensitive health and emotional disclosures without explicit confirmation. Combined with lifecycle memory tracing, this results in long-term storage of intimate user content and materially increases the privacy impact compared with ordinary transient processing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal