ClawHub

ChronoSync

Security checks across malware telemetry and agentic risk

Overview

ChronoSync is local and mostly purpose-aligned, but it broadly copies all OpenClaw chat history into persistent shared memory with weak controls, so users should review it carefully before installing.

Install only if you intentionally want OpenClaw sessions to share chat history through local plaintext memory files. Avoid using it with sensitive work unless you are comfortable with all sessions being scanned, derived decisions/todos being stored, and a cron job continuing in the background. Review the generated files under ~/.openclaw/workspace/memory/sync/, keep only trusted plugin files, and remove the cron entry when you no longer want automatic syncing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation describes environment-variable usage plus file reads and writes, but no explicit permissions model or warning is declared. For a skill that aggregates chat history across sessions, undeclared filesystem and environment access reduces transparency and can lead users to authorize broader data handling than they realize.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The stated purpose is session-history sync, but the documented behavior also includes extracting decisions, technical knowledge, and todos into additional persisted artifacts. This broadens processing of sensitive chat content beyond simple backup/sync and increases privacy exposure, especially because derived data may surface information users did not expect to be normalized and shared across sessions.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The security section claims the skill only accesses the sessions directory, but elsewhere the document states it writes shared outputs and loads plugins. This inconsistency can mislead users and reviewers about the actual trust boundary, and plugin loading further increases the effective attack surface because plugin code may perform additional reads/writes.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill dynamically imports and executes every Python file in a plugins directory via exec_module, giving arbitrary code execution to any plugin dropped there. That is materially broader than the stated purpose of synchronizing chat history, and it also hands full conversation data to plugin hooks, which makes data theft or local compromise straightforward if a malicious or tampered plugin is present.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The design explicitly emphasizes silent background synchronization of chat history every 30 minutes, but provides no notice, consent flow, retention policy, or sensitivity boundaries. Because chat histories often contain secrets, personal data, and proprietary information, silent collection and persistence materially increases privacy and data leakage risk even if the feature is intended for convenience.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The examples show full conversation content being written to JSON and Markdown outputs, which creates durable plaintext copies of potentially sensitive user and model messages. Storing complete transcripts in human-readable and machine-readable files expands the attack surface for local compromise, accidental sharing, indexing, backup propagation, and cross-session overexposure of secrets.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The plugin design describes automatic extraction of decisions, notes, and task items from conversations without warning users that inferred or derived data will be created and retained. Inferred records can reveal sensitive intent, plans, priorities, or business context not obvious from isolated messages, increasing privacy risk and the chance of incorrect or overbroad profiling across sessions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The description promotes cross-session sharing but does not prominently warn that it creates consolidated files containing chat history and extracted knowledge/todos. In this context, the skill is specifically handling potentially sensitive conversational data, so insufficient disclosure materially increases the chance of accidental privacy leakage across sessions, users, or local processes.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The plugin writes extracted user and assistant message content to persistent local markdown files without any visible consent, notice, or retention controls. In a session-sync context, chats often contain sensitive prompts, secrets, code, or personal data, so silently persisting them creates a privacy and local data-exposure risk if the host is shared, backed up, or later accessed by other tools.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The plugin automatically extracts user-stated tasks from chat content and persistently stores them on disk across sessions in a predictable location, without any visible consent, disclosure, retention control, or minimization. Because task text can contain sensitive personal, health, financial, or work information, local persistence increases privacy risk and broadens the exposure surface if the host account, workspace, backups, or synced files are accessed by others.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persistently writes session contents into shared JSON and Markdown files without any visible consent, notice, retention controls, or access restrictions. Even with partial regex-based masking, sensitive chat content can still be copied into broader memory stores, increasing exposure to local users, backups, other tools, or future components that read those files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill enumerates and reads all session files from the OpenClaw state directory, effectively harvesting conversation history across sessions without any in-code permission gate or user-facing disclosure. In the context of a cross-session memory tool, this behavior is expected functionally, but it is also precisely why the privacy risk is real: it centralizes potentially sensitive conversations into a new processing pipeline.

Ssd 3

Medium
Confidence
98% confidence
Finding
The plugin broadly classifies messages as decisions or technical notes using loose regexes and code-block detection, then stores raw content persistently. Because this captures natural-language conversation from both user and assistant, it creates a durable leakage path for credentials, internal architecture details, personal data, and other sensitive material that may later be read by local users, backup systems, indexing tools, or future sessions.

Ssd 3

High
Confidence
98% confidence
Finding
This skill copies conversation contents into persistent shared stores and forwards all parsed messages to plugins, creating a broad natural-language exfiltration channel for sensitive information. The built-in sanitization is weak and pattern-based, so secrets, personal data, internal prompts, and proprietary content can still be retained locally or exposed to plugin code, making the skill context especially dangerous because it processes cross-session memory at scale.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal