ClawHub

claw-memory-manager

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed OpenClaw memory configuration helper with real operational and privacy implications, but no evidence of hidden, destructive, or exfiltrating behavior.

Use --dry-run first, especially on shared or production OpenClaw deployments. Enabling Active Memory may surface prior stored memories in future direct chats, so review memory contents and prefer the conservative preset for sensitive work. Expect persistent config changes and a gateway restart unless you pass --no-restart.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly states that Active Memory injects relevant memories into the model context before every turn, but it does not clearly warn users about the privacy and data-minimization implications of doing so. In a memory-management skill, this omission matters because prior sensitive content may be surfaced to later prompts or downstream model operations without the user appreciating the scope of exposure.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README describes automatic writes, promotion into MEMORY.md, config synchronization, and automatic gateway restart as convenience features, but does not present them as prominent operational warnings. Because this skill changes persistent configuration and may trigger service restarts, users could unintentionally cause configuration drift, persistence of sensitive data, or production disruption if they run commands without understanding the side effects.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad administrative language such as 'configure agent memory' and 'enable active memory', which can match routine support or ops requests and cause this skill to activate in contexts where the user did not intend config mutation. Because the skill performs writes and may restart the gateway automatically, accidental activation has meaningful operational impact beyond a harmless read-only action.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation states that the skill automatically writes configuration to runtime and mirrored paths and restarts the gateway by default, but it does not give a prominent warning about service disruption, persistence changes, or the fact that K8s mirror paths may be modified. In an operational skill that directly manages agent configuration, this can lead users or higher-level agents to trigger state-changing actions and restarts without informed consent, causing outages or unintended config persistence.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Active Memory section explains that retrieved memories are injected into every direct-chat context, but it lacks a clear privacy and data-handling warning about possible exposure of prior sensitive content, cross-task leakage, or over-broad recall when aggressive presets are used. In this skill context, that omission is more dangerous because the feature is specifically designed to alter model context automatically on every turn, which can amplify accidental disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal