ClawHub

Adam Framework

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent memory framework, but it should stay in Review because it bundles persistent startup, broad local tool access, and an open Telegram configuration that could expose private memory if copied as-is.

Install only if you are comfortable running a persistent local agent that reads and writes a vault of personal memory, sends selected memory/log content to Gemini for reconciliation, and may expose that memory through configured tools. Before use, remove desktop-commander and unused MCP integrations unless needed, restrict Telegram to an allowlist or disable it, avoid elevated hidden auto-start where possible, keep API keys out of command-line arguments, and review or redact chat exports before ingestion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (64)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises substantial capabilities including environment access, file read/write, network, and shell execution, yet does not declare permissions. This undermines user consent and policy enforcement because an agent or platform may invoke a skill with far broader system access than the metadata suggests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior goes far beyond a memory/coherence layer and includes process management, vault compilation, external API-driven rewriting of core memory, data ingestion/export, MCP exposure of vault contents, and git operations. This mismatch is dangerous because users may authorize a 'memory skill' without realizing it can modify persistent state, expose sensitive data, manage processes, and transmit information to third parties.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The guide expands beyond memory setup into enabling a new external communication channel via Telegram. That materially increases the agent's reach and attack surface, and it is not necessary for the stated persistent-memory function, so it represents capability creep that could expose the user to unauthorized remote interaction if misconfigured or abused.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Enabling a Telegram bot gives the system remote inbound access unrelated to memory persistence. Even if optional, bundling it into the setup normalizes adding unnecessary network-facing functionality, which increases exposure to misuse, token theft, or unintended data disclosure through the chat channel.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The guide instructs users to export and ingest full Claude/ChatGPT conversation histories into the framework. Those exports commonly contain highly sensitive personal, business, credential-adjacent, and third-party data, and the document does not impose minimization, redaction, consent, or access-control safeguards before import. In a memory skill, this dramatically increases data-exposure risk and can propagate sensitive material into multiple storage layers.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The optional Telegram integration expands the attack surface beyond the stated memory/coherence function by exposing the agent through a remote messaging channel. Even if presented as optional, it introduces externally reachable access and token-managed bot control that is unrelated to the core persistence objective and lacks security guidance.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Phone-accessible Telegram bot functionality enables remote interaction with an AI system that now holds persistent user memory and imported history. Without justification tied to the skill purpose and without access restrictions, this increases the risk of unauthorized access, data leakage, and inadvertent exposure of stored memories.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The page claims 'Local AI. No cloud. No subscription.' but immediately loads Google Fonts from a third-party domain and sends purchase traffic to Gumroad. That contradiction is dangerous because it can mislead users into believing no external network interaction occurs, weakening informed consent and creating privacy/trust risk for a product centered on local, persistent memory.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The guide extends a stated memory/coherence framework with a Telegram bot interface, creating remote access to the agent that materially increases attack surface. Even if optional, exposing an AI service over a messaging platform can enable unauthorized interaction, prompt abuse, data leakage from memory files, and command execution through connected tools if not tightly controlled.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The documentation describes mcporter as wiring in external tools such as Firecrawl and Notion, which broadens the framework from local memory management into external data access and integration. This scope expansion increases the blast radius of prompt injection, data exfiltration, and unintended actions, especially when combined with persistent agent memory and automated startup.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The setup explicitly tells users they are installing a watchdog that starts the AI automatically and keeps it alive, which is persistence behavior. In a legitimate admin tool this can be intended, but from a security perspective it is still risky because persistent background execution can conceal failures, prolong compromise, and ensure the agent keeps running with access to memory, APIs, and external tools.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Adding a Telegram bot interface introduces a remote command-and-control style channel that is unrelated to the narrow memory architecture claim and substantially increases risk. When paired with persistent startup and memory access, a remotely reachable interface can expose sensitive user context and expand opportunities for abuse.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The guide presents the sleep cycle as 'offline — Markdown + neural only' while later stating that reconcile_memory.py uses Gemini and requires an API key. This mismatch can mislead users about where data is processed and whether sensitive memory content may be sent to a third-party LLM service, undermining informed consent and privacy expectations.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script extracts GEMINI_API_KEY from a local configuration file and passes it as a command-line argument to a Python process. Command-line arguments are often visible to other local processes via process listings, shell history tooling, crash reports, or service monitors, so this creates avoidable credential exposure even if the purpose is operational rather than malicious.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The watchdog uses broad pkill -f patterns for "openclaw" and "gateway", which can terminate unrelated processes owned by the user and potentially disrupt other workloads. Because matching is substring-based and system-wide for accessible processes, this is an overbroad host-control action that can be abused or cause collateral denial of service.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The template advertises and wires in several optional MCP servers for web scraping, document analysis, workspace access, and multi-model routing that go well beyond the stated purpose of a memory/coherence architecture. Bundling these capabilities in a default-ish template increases the chance that users enable unnecessary high-privilege integrations, expanding attack surface and data exposure without a clear need tied to the skill's core function.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The desktop-commander entry grants terminal execution and filesystem access, which is a powerful local privilege surface unrelated to the narrow claim of providing persistent memory/coherence. If an agent or connected workflow is compromised, this server could be used to read sensitive files, modify local state, or execute arbitrary commands on the host.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The firecrawl integration adds external web scraping capability that is not necessary for core local memory persistence. In context, this broadens the skill from memory management into networked data acquisition, increasing exposure to prompt injection from scraped content, data exfiltration paths, and unnecessary API-key handling.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The Notion integration introduces access to a user's workspace and documents, which is broader than a standalone memory architecture and may expose sensitive organizational data. Because the template encourages users to place bearer-token style credentials into configuration, accidental over-permissioning or misuse could lead to unauthorized reading or modification of workspace content.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The openrouter integration enables routing tasks to multiple external models and mentions sub-agent orchestration, which materially expands the operational scope beyond memory coherence. This can increase data-sharing to third parties, complicate trust boundaries, and create additional channels for sensitive prompt/context leakage if enabled without strict controls.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The Telegram channel is enabled with dmPolicy set to open and allowFrom set to ["*"], which means any Telegram user can potentially interact with the bot. In a skill that also has persistent memory and command execution features, broad unauthenticated access can allow unauthorized users to manipulate memory, trigger behaviors, or extract sensitive context from the agent.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The server is documented as exposing files from the configured vault workspace, but get_memory_files() also enumerates Markdown files from VAULT_PATH.parent. That expands the trust boundary beyond the declared vault and can disclose adjacent notes or sensitive files to any MCP client using memory_list, memory_search, or memory_get.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The script's documented behavior says it reconciles core memory and defers vector reindex, but it also rewrites TOPIC_INDEX.md as a side effect. Hidden file mutation increases the attack surface and can unexpectedly alter memory metadata or downstream agent behavior, especially in a persistence framework where these files drive future decisions.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
update_topic_index() depends on undeclared global state (paths) and rewrites a persistent file, despite the docstring minimizing its effects. This kind of implicit state and hidden persistence can lead to unsafe or unintended writes, make review harder, and increase the likelihood of integrity issues in agent memory stores.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This script goes beyond local memory/statistics maintenance and performs repository modification plus remote publication, which is materially different from the stated 'persistent memory/coherence architecture' purpose. In an agent skill context, hidden or under-disclosed code publication behavior increases the chance of unintended exfiltration, reputation damage, or unauthorized changes being pushed to a remote repository.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal