ClawHub

Hongnao Memory V1.0.0

Security checks across malware telemetry and agentic risk

Overview

This is a coherent long-term memory skill, but it defaults toward persistent conversation capture and preference profiling without enough privacy controls or warnings.

Review before installing. Use this only if you are comfortable with an OpenClaw memory plugin storing conversation-derived facts, preferences, and possibly full session messages locally. Before enabling it, set clear opt-in rules, disable automatic extraction/session sync if not needed, avoid storing secrets or regulated data, protect the workspace from syncing or sharing, and add a backup/recovery plan before using forgetting or deletion features.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (23)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The benchmark report presents the recall metric as a true recall percentage with a >90% target, but the implementation only checks whether each query returns at least one result. This can materially overstate retrieval quality and mislead operators into believing the memory system is production-ready when it may be missing relevant items or performing poorly under realistic evaluation criteria.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly documents persistent memory collection, export, and automatic forgetting/deletion behavior, but does not mention consent, retention limits, privacy notices, access controls, or recovery safeguards. In an agent memory system integrated into user conversations and tools, this omission can lead to silent retention of sensitive personal/project data and accidental irreversible data loss through cleanup or overwrite behaviors.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The release notes advertise 'automatic preference learning' as a core feature but provide no warning, consent language, or data-handling explanation. In a memory system that stores user information and integrates deeply with another platform, silent preference profiling can lead to unexpected collection, retention, and inference of sensitive user data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly advertises cross-session memory persistence and automatic user preference learning, but the description does not provide a clear user warning, consent notice, or explanation of what data is stored and reused. This is dangerous because users may unknowingly expose sensitive personal information across sessions, and preference profiling can create privacy and trust risks if enabled by default without transparent disclosure.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The installer creates a plugin directory and copies files into a user-specified or default workspace without prompting, backup, or overwrite warning. Because shutil.copy2() will overwrite existing files, running this script can silently replace local plugin code or documentation in the target workspace, which is risky in an agent/plugin environment where workspace contents may be trusted or later executed.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This code writes a requirements.txt file into the script directory and later writes configuration and documentation files without prior disclosure or consent. In a shared repo, checked-out project, or agent-controlled workspace, these implicit writes can modify existing local files and influence later dependency installation or plugin behavior.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The extractor is explicitly designed to parse and persist user statements such as names, jobs, preferences, and constraints into memory objects without any visible consent, minimization, or sensitivity filtering. In an agent skill context, this creates a real privacy and data-protection risk because personal information can be retained and reused beyond the user's immediate intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code persistently writes full session conversations to a predictable local workspace path without any consent flow, warning, minimization, or protection controls. In a memory-management skill, those conversations can contain credentials, personal data, or sensitive business context, so silent persistence materially increases exposure if the workstation, backups, or other local processes are compromised.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The daily export feature writes aggregated memory contents to a Markdown file on disk without any user-facing disclosure or confirmation. Because the exported data includes remembered user facts and preferences, this creates an additional persistent copy of sensitive information that may be easier to discover, index, sync, or exfiltrate than the primary store.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code persists learned user preferences derived from conversations into a local JSON file in cleartext, with no consent flow, minimization, access controls, encryption, or retention policy. Because these preferences can reveal personal habits, dislikes, routines, and behavioral traits, local compromise, shared-host access, backups, or accidental file exposure could leak sensitive user profile data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide encourages automatic extraction and storage of user conversation content, including personally identifying and preference data, without any notice about consent, retention, review, or secure handling. In a memory system context this can lead to unintended collection of sensitive personal data and privacy harm if operators enable it by default or use it without informed user awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The backup/export example writes the full memory store to a local JSON file without warning that it may contain sensitive user facts, preferences, and profile information. This is dangerous because users may create unencrypted backups in insecure locations, increasing the risk of local disclosure, accidental sharing, or inclusion in source control and support bundles.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document promotes automatic session synchronization, memory extraction, and preference learning for an OpenClaw plugin without clearly disclosing that user conversations may be continuously collected, stored, and processed. In a plugin-packaging context, these features can materially affect privacy and system behavior, and the absence of explicit consent, retention, and security warnings increases the risk of unintentional sensitive-data capture and unsafe deployment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide explicitly demonstrates storing user preferences, facts, and other personal memory data, but provides no consent, minimization, retention, or sensitive-data handling warning. In a cross-session memory system, this can lead to silent accumulation of personal data and privacy violations if operators persist more data than users expect.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The session-sync example shows full conversation messages being synchronized into persistent memory with auto extraction, but does not warn that entire chats may contain secrets, personal data, or regulated information. This is dangerous because developers may enable blanket persistence and unintentionally copy transient conversation content into long-lived storage across sessions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The backup/export example writes the memory database to disk in JSON without any warning about plaintext exposure, access control, or encryption. Exported memory stores can contain personal profiles, preferences, and conversation-derived data, so a local file can become an easy exfiltration point if shared, synced, or left unprotected.

Ssd 3

Medium
Confidence
93% confidence
Finding
The session sync path both auto-extracts memories from full conversations and stores the raw messages in plaintext JSON under the workspace directory. In this skill context, that is more dangerous because the module is explicitly designed for long-term cross-session memory, so sensitive user disclosures are systematically retained and duplicated, increasing the blast radius of local compromise or accidental sharing.

Ssd 3

Medium
Confidence
87% confidence
Finding
The profile and export methods aggregate personal facts, preferences, skills, and constraints into easily consumable outputs, which lowers the effort needed to inspect or exfiltrate sensitive user data. In a memory assistant integration, such aggregation is expected functionality, but without access controls, redaction, or disclosure boundaries it still creates a meaningful privacy and data-exposure risk.

Ssd 3

Medium
Confidence
88% confidence
Finding
These sections promote persistent cross-session collection, retrieval, and profiling of user identity, employment, habits, and communication preferences in plain language, including building a user profile. In the context of an agent skill, that materially increases privacy risk because it normalizes long-term behavioral profiling without visible consent, purpose limitation, or safeguards.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# HongNao Memory OS Requirements

# 向量数据库
chromadb>=0.4.0

# 数值计算
numpy>=1.20.0
Confidence
90% confidence
Finding
chromadb>=0.4.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
chromadb>=0.4.0

# 数值计算
numpy>=1.20.0

# 嵌入模型
sentence-transformers>=2.2.0
Confidence
97% confidence
Finding
numpy>=1.20.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
numpy>=1.20.0

# 嵌入模型
sentence-transformers>=2.2.0

# 可选:更强大的嵌入模型
# FlagEmbedding>=1.2.0
Confidence
89% confidence
Finding
sentence-transformers>=2.2.0

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
92% confidence
Finding
numpy

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal