ClawHub

hawk-memory-v2

Security checks across malware telemetry and agentic risk

Overview

This is a real memory tool, but it stores and can import sensitive agent data with too little user control or install-time disclosure.

Review before installing on machines with confidential work, credentials, personal data, or shared users. Treat ~/.hawk and any imported ~/.openclaw/memory content as persistent sensitive storage, avoid running the installer’s auto-import path unless you intend to migrate those memories, and only configure external providers or custom base URLs that you trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (48)

Tainted flow: 'req' from os.environ.get (line 323, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
"Content-Type": "application/json",
            }
        )
        with urllib.request.urlopen(req, timeout=30) as resp:
            result = json.loads(resp.read())
            content = result["choices"][0]["message"]["content"]
            return parse_and_validate(content)
Confidence
83% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as resp:

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The code claims to perform incremental imports, but it unconditionally drops and recreates the entire LanceDB table before inserting new chunks. This destroys previously indexed data and can cause data loss or integrity issues if only a subset of files is re-imported, making the importer behavior unsafe and misleading.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The scan logic skips files only when the exact string '<!-- hawk:imported -->' is present, but the writer appends '<!-- hawk:imported YYYY-MM-DD -->'. As a result, imported files are never recognized as imported, causing repeated reprocessing, duplicate outbound data transfer, and inconsistent state.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The installer automatically reads and imports data from $HOME/.openclaw/memory, which appears to belong to a different product, without establishing necessity, ownership, or user consent. This creates a cross-application data ingestion path that can expose private user data, surprise the user during installation, and import untrusted content into the new tool's memory store.

Intent-Code Divergence

Low
Confidence
90% confidence
Finding
The comment frames this as importing 'existing memory if any,' but the implementation specifically targets another product's directory, which is misleading and obscures the true behavior of the installer. That mismatch increases the risk of undisclosed data migration and reduces the user's ability to make an informed decision about privacy-sensitive behavior.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly says the agent will silently apply remembered user communication preferences from prior sessions, but it does not provide a clear notice, consent flow, retention policy, or guidance about what kinds of user data may be stored. Silent cross-session persistence can expose sensitive behavioral data and surprise users who reasonably expect a fresh session boundary.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The task-state feature persists active work, outputs, constraints, and progress across restarts and session changes, but the documentation does not prominently warn that potentially sensitive work artifacts will be written to local storage. This creates risk of unintended retention of confidential project details, especially in shared environments or when users assume transient operation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
El README promociona una memoria persistente entre sesiones que 'captura automáticamente lo que importa' sin advertencia visible sobre retención, alcance, duración, ubicación de almacenamiento o tratamiento de datos sensibles. En un skill de memoria contextual, esto es especialmente riesgoso porque puede llevar a almacenar preferencias, contenido conversacional y estado de tareas sin consentimiento informado ni controles claros de privacidad.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
La documentación indica que el sistema aplica 'silenciosamente' preferencias del usuario desde sesiones previas, lo que implica reutilización oculta de datos personales o conductuales sin transparencia ni confirmación del usuario. En este contexto, el riesgo aumenta porque el propósito del skill es precisamente recordar y reinyectar contexto, lo que puede sorprender al usuario, exponer información previa y normalizar seguimiento no anunciado.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Le README promeut la persistance automatique des préférences utilisateur et de l’état de tâche entre sessions, mais ne prévient pas clairement que ces données seront stockées localement ni quels types d’informations sensibles peuvent être retenus. Dans un système de mémoire pour agent IA, cela augmente le risque de conservation involontaire de données personnelles, secrets, ou informations sensibles sur disque, surtout si l’utilisateur suppose un comportement éphémère.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes automatic cross-session memory and preference retention, but it does not clearly warn users that potentially sensitive conversational data may be stored persistently. This can lead to unintentional retention of personal, confidential, or regulated information, especially in an agent skill explicitly designed to capture and recall user context over time.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The task-state persistence section shows concrete examples of writing work descriptions, progress, outputs, and constraints to local JSONL files, but it does not explicitly warn that user work details are being stored on disk. In practice, this may expose sensitive project data, filenames, internal constraints, or business context to other local users, backups, or endpoint compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The structured-memory example includes a field for storing the full original content, yet the documentation does not warn that complete user inputs or derived summaries may be retained long term. Because this skill is specifically a memory system, retaining full content increases the chance that secrets, personal data, or proprietary information will be captured and later surfaced unexpectedly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes persistent memory across sessions, including preferences and task state, but does not clearly warn users that potentially sensitive data will be retained locally. In a memory-management skill, silent persistence materially increases privacy risk because users may disclose secrets assuming normal session ephemerality.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes automatic memory capture and cross-session persistence but does not clearly warn users that conversation and task data may be stored locally on disk. In a memory-management skill, this omission is security-relevant because users may unknowingly persist sensitive prompts, preferences, documents, or operational details that could later be exposed to other local users, backups, or malware.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The task-state example shows operational details being written to `memory/.hawk/task_state.jsonl`, including task descriptions, outputs, constraints, and progress, but provides no warning that sensitive project information will be persisted to disk. This is dangerous because task metadata often contains confidential business context, filenames, deliverables, or internal requirements that may remain recoverable after the session ends.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The structured memory section explicitly includes storage of `content: '완전한 원본 콘텐츠'` and summaries, indicating that full conversation or document contents may be retained, yet the README omits a clear user-facing warning about this sensitive retention. In the context of an AI memory skill, this increases risk because secrets, personal data, credentials, proprietary text, or regulated content could be captured verbatim and persist beyond the active session.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly advertises silently applying remembered user communication preferences across sessions, which implies persistent profiling and reuse of prior user data without a clear notice, consent flow, retention policy, or sensitivity warning. In a memory-management skill, this increases the risk that personal preferences or sensitive behavioral data are stored and replayed unexpectedly, creating privacy and compliance issues even if the persistence is local.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README promotes automatic capture of context and long-lived storage 'across sessions, across topics, across time' without a corresponding warning that this may collect sensitive prompts, documents, preferences, or secrets into persistent local storage. Because the skill's core purpose is broad memory retention, the surrounding context makes this more dangerous: users may reasonably assume conversational context is ephemeral while the tool is designed to preserve it.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README promotes automatic long-term storage of conversation, preference, and task data across sessions, but it does not clearly warn users that potentially sensitive prompts, outputs, and behavioral preferences will be written to local JSONL files. This creates a privacy and data-handling risk because users may enable the skill without understanding that personal, proprietary, or security-relevant information will persist on disk and remain accessible after the session ends.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quick-start sequence tells users to install, initialize, and begin using persistent memory commands immediately, but it does not disclose that local state files will be created and continuously updated as the agent operates. Because the feature is auto-triggered and session-persistent, users may unknowingly retain sensitive data on disk, increasing the chance of accidental disclosure on shared machines, developer workstations, or synced directories.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
README explicitly promotes persistent storage of task state and memory across sessions in local JSONL files, but it does not present a clear privacy warning, consent model, retention limit, or guidance on handling sensitive data. Because this skill is specifically designed to capture and reuse conversational context, users may unknowingly persist secrets, personal data, or regulated content on disk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly promotes cross-session persistence of agent memory and task state, but it does not warn users that conversations, preferences, constraints, and other possibly sensitive data may be written to local disk. In an agent-memory skill, that omission materially increases privacy risk because operators may enable it assuming it is transient, leading to unintended retention or later disclosure of sensitive information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The examples show concrete persisted fields such as task descriptions, outputs, constraints, and even '完整原始内容' stored in JSONL, yet no warning is provided about privacy, data minimization, or retention. Because this skill is specifically designed to capture and retain agent context, the missing guidance makes accidental storage of secrets, personal data, or confidential project details more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation promotes automatic recall and automatic capture of conversation content into memory without any explicit consent, privacy notice, or data retention warning. In an agent context, this can cause users or developers to unknowingly persist sensitive prompts, personal data, credentials, or business information across sessions and potentially feed that data back into later model interactions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal