ClawHub

Proactive Memory Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about being a local memory system, but it broadly persists conversation details and can overwrite active memory files without strong user controls.

Install only if you intentionally want persistent local memory of conversations, decisions, preferences, and working context. Back up existing SESSION-STATE.md, memory/, and .learnings/ before running init.sh or tiering.sh, and avoid using it with secrets or confidential data unless you add redaction, retention, deletion, and explicit confirmation controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill makes strong guarantees such as 'zero information loss,' 'write first, respond second,' and strict budgeting, while the described implementation reportedly truncates buffers, resets session state, and only partially implements the claimed model. This can create unsafe operator trust: users may rely on the skill to preserve critical context or decisions when in fact data may be discarded or inconsistently persisted.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This script does more than tier or organize memory: when completed tasks are detected, it overwrites the active SESSION-STATE.md with a template, which destroys the current working context in place. In an agent-memory skill, modifying core state files automatically is risky because a false match or unexpected invocation can erase active task context and disrupt agent behavior, even if a copy is archived first.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script archives working-buffer.md and then replaces it with a minimal inactive template, which is a destructive state change rather than simple tier reorganization. Because the working buffer may contain unresolved reasoning, notes, or operational context, automatic clearing can cause loss of continuity and unexpected agent failures if triggered at the wrong time.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill advertises 'zero information loss,' but this code replaces active memory content with placeholders after archiving, so the live operational context is lost even if historical data remains elsewhere. In the context of a memory-management skill, this mismatch is dangerous because users or agents may trust it as non-destructive and invoke it in situations where preserving immediate context is essential.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
Resetting the working buffer to an inactive template contradicts the promise of zero information loss because it removes live content from the active path and may break workflows expecting the buffer to persist. This is especially risky in an agent skill centered on memory optimization, where misleading safety claims increase the chance of unsafe adoption and unreviewed automation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs the system to automatically log every exchange after a threshold and to write user details into multiple memory files, but provides no consent, notice, retention limit, or redaction guidance. This is dangerous because sensitive prompts, identifiers, secrets, or regulated data may be stored persistently without user awareness and later exposed through other tools or sessions.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The script prints matching lines from memory files directly to stdout as search previews, which can expose stored session data, user content, or other sensitive memory entries to anyone invoking the command or to logs capturing terminal output. In a memory-management skill, this is especially relevant because the searched files are explicitly intended to contain accumulated context and learnings, increasing the likelihood of sensitive data disclosure.

Ssd 3

Medium
Confidence
97% confidence
Finding
The WAL and working-buffer instructions explicitly require persistent capture of corrections, preferences, proper nouns, decisions, specific values, and then every exchange in the danger zone. In the context of an AI agent, those categories can easily include secrets, internal identifiers, personal data, and business-sensitive decisions, turning normal conversation into an unbounded retention surface.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill promotes aggressive long-term archival and permanent promotion of recurring patterns into WARM/COLD memory and reference files. This increases the blast radius of any sensitive data mistakenly captured earlier, because it survives beyond the session and may be reused or surfaced in unrelated future tasks.

Ssd 3

Medium
Confidence
94% confidence
Finding
The working-buffer template explicitly says it logs every exchange once context exceeds 60%, which encourages persistent capture of full conversational content. In a memory-management skill, this is more dangerous because the feature is designed to retain context over time, increasing the chance that secrets, personal data, tokens, or proprietary content are written to disk and later exposed.

Ssd 3

Medium
Confidence
96% confidence
Finding
The learning/error/feature templates direct operators to store full context, parameters used, and user context in persistent markdown files. That creates a durable data-retention surface for sensitive inputs and operational details, which is especially risky in a skill whose purpose is long-lived memory and context preservation.

Session Persistence

Medium
Category
Rogue Agent
Content
# 执行记忆分层归档 / Run memory tiering
~/.openclaw/workspace/skills/proactive-memory-agent/scripts/tiering.sh

# 创建预压缩检查点 / Create pre-compaction checkpoint
~/.openclaw/workspace/skills/proactive-memory-agent/scripts/checkpoint.sh
```
Confidence
86% confidence
Finding
Create pre-compaction checkpoint ~/.openclaw

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal