ClawHub

Openclaw Memory Max

Security checks across malware telemetry and agentic risk

Overview

This memory skill is mostly purpose-aligned, but it needs review because it automatically persists and re-injects conversation-derived data with some disclosure and control gaps.

Install only if you are comfortable with a plugin that keeps local long-term memory and can inject remembered content into later agent context. Keep auto-capture and rule pinning disabled unless you explicitly want them, restrict write access to the OpenClaw memory directory, and periodically review or delete sidecar files such as episodes.jsonl, causal_graph.json, utility_scores.json, auto_captured.jsonl, and consolidation_context.md.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (35)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared description frames the skill as a memory enhancement suite, but the body also describes behavior-changing prompt injection via YAML rule pinning, persistent capture of user content, utility-score mutation, and system-context injection. That mismatch is dangerous because operators may enable or trust the skill for retrieval benefits without realizing it can alter agent behavior and persist sensitive data across sessions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The hook persists behavioral metadata and user-derived content to disk at session end, including tool usage, extracted decision text, and the last user message. In a memory skill this may be functionally related, but the collection is broad, silent, and stored persistently in plaintext, creating a privacy and surveillance risk if the host or memory directory is accessed by other code, users, or backups.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The hook takes retrieved memories and graph-derived content and injects them directly into the agent's system context, which elevates stored untrusted data into a higher-trust instruction channel. Because recalled memory text may contain prior user-provided instructions or adversarial content, this creates a prompt-injection and behavior-manipulation risk beyond simple retrieval.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The file exposes tools that can persistently modify memory utility scores, but this mutation capability is not reflected in the higher-level skill description. Hidden state-changing operations are dangerous in agent environments because other components or users may invoke what appears to be a retrieval skill without realizing it can alter stored ranking data, enabling silent integrity drift or manipulation of future recall behavior.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly describes automatic capture of user messages, rules, corrections, preferences, session summaries, tools used, and key decisions, but does not present a prominent privacy warning, consent model, or clear retention notice alongside those features. In a memory plugin, this creates a real privacy and compliance risk because sensitive natural-language content may be stored persistently without users or operators fully understanding what is retained.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill describes automatic capture of high-value user messages, session logging, and maintenance/pruning behavior without a prominent privacy warning at the point those capabilities are introduced. Users may disclose secrets or sensitive business data without realizing it can be retained and reused later, increasing privacy and compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Session content is written to persistent local storage without any visible disclosure, consent, or runtime warning. In this skill context, which advertises advanced memory features, some retention is expected, but silently persisting user content and session metadata still increases privacy risk and can capture secrets users did not expect to be stored long-term.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persists causal-memory records to a local JSON file under OPENCLAW_HOME/HOME without any consent flow, disclosure, retention notice, or data minimization. Because the stored fields include free-form cause/action/effect text and queryable summaries, the skill can silently retain sensitive user or agent activity across sessions, increasing privacy and data leakage risk if the host is shared, backed up, or later accessed by other components.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Auto-capture stores selected user messages to disk without any explicit notice, consent, or confirmation at capture time. This can silently retain sensitive user preferences, rules, or personal data and expands privacy exposure if the host, filesystem, backups, or other local processes are compromised.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Auto-recall silently modifies the system context with retrieved memories and graph output, changing model behavior without clear disclosure to the user or operator. Hidden prompt augmentation reduces transparency and can cause unsafe or unexpected actions if recalled content is inaccurate, sensitive, or adversarially crafted.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The plugin exposes automatic memory recall by default and supports automatic capture, but this file provides no consent gate, notice, or scoping safeguards around what may be stored or re-injected into future context. In a memory-oriented agent skill, silent persistence and recall can leak sensitive prompts, secrets, or prior-session data across tasks, making the context especially high risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The search tools return raw memory snippets and metadata from stored records without any visible access-control checks, consent flow, or disclosure warning. In a memory skill, retrieved content may contain sensitive prior conversation data, secrets, or personal information, so broad snippet exposure materially increases confidentiality risk if the tool is called in the wrong context or by an over-permissioned agent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The reward and penalize tools change persistent memory scores with no visible warning, confirmation, or safeguard around state modification. In this context, silent writes can be abused to poison retrieval quality over time, bias future memory selection, or degrade system behavior without operators realizing persistent data has been altered.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The tool reads auto-captured memory entries from disk and returns previews of recent captured content to the caller without any explicit permission check, redaction, or user disclosure. Because this skill is a memory system, the captured file is likely to contain sensitive user data, and exposing even truncated previews can leak private information into model context or tool outputs unexpectedly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code persists episode records to disk automatically in a user home directory without any consent, notice, or data-minimization controls. In a memory skill, those records can contain behavioral metadata and later-added summaries/decisions, creating a privacy and retention risk if the host is multi-user, backed up, or later compromised.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The truncation routine silently rewrites the memory file and deletes older or malformed entries without user awareness. While primarily a data-governance issue rather than code-execution risk, silent deletion of persisted memory can surprise users and complicate auditability or incident review.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code persistently writes the causal memory graph to disk in clear JSON under a predictable user directory, but this file contains free-form cause/action/effect text that can easily include sensitive prompts, tool outputs, secrets, or personal data. In a memory skill, silent persistence materially increases privacy and data-retention risk because users and downstream operators may not realize long-lived storage is occurring.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code persistently writes user-derived content to disk in auto_captured.jsonl without any consent, notice, retention control, or sensitivity filtering. In a memory skill, users are likely to share preferences, corrections, and potentially secrets, so silent persistence materially increases privacy and compliance risk if the host is multi-user, compromised, or logs/backups are exposed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The hook injects recalled memories and graph-derived experience into system context transparently, which can reintroduce prior sensitive user content and silently influence model behavior. Because the injected content is treated as system-level context, this increases the risk of unwanted disclosure, prompt contamination, and hidden policy/behavior changes without the user's awareness.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The tool performs a persistent state change to memory utility scores based solely on a tool invocation, with no built-in confirmation, authorization, or user-consent guardrail. In a memory system, this can silently bias future retrieval behavior, allowing accidental or manipulated calls to poison ranking quality over time and alter what information is surfaced.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This tool persistently decreases utility scores without any confirmation or approval step, so an agent, prompt injection, or mistaken workflow could silently suppress valid memories. Because utility affects future ranking, repeated misuse can degrade recall quality, hide important context, and create long-lived integrity issues in the memory store.

Ssd 3

Medium
Confidence
94% confidence
Finding
Automatic logging of conversational content and session metadata creates a direct data retention surface for secrets, personal data, credentials, internal decisions, and operational context. Even if intended as a feature, persistent storage of rich natural-language history increases the blast radius of compromise, accidental disclosure, and improper reuse of prior sensitive content.

Ssd 3

Medium
Confidence
90% confidence
Finding
The text explicitly instructs persistent capture and logging of user messages and session details, which creates a real confidentiality risk if conversations contain credentials, personal data, or proprietary information. Even if intended as a memory feature, persistent storage broadens the attack surface and can violate least-retention principles.

Ssd 3

Medium
Confidence
88% confidence
Finding
The rules direct the agent to keep logging causal chains and consult accumulated experience, reinforcing continuous retention and reuse of prior conversational/task data. This can unintentionally encode sensitive operational details into long-lived memory stores and make later leakage or misuse more likely.

Ssd 3

Medium
Confidence
95% confidence
Finding
The tool reads auto-captured memory entries from disk and returns plain-language previews of recent entries to any caller of `compress_context` without any access control, sensitivity filtering, or user-consent check. Because auto-captured memory may contain prior user prompts, secrets, or other sensitive context, this creates a cross-context data exposure path where invoking a compression helper can leak historical memory content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal