ClawHub

Memory Keep-Alive for Obsidian

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Obsidian task-memory system that creates persistent task notes and scheduled OpenClaw jobs, with no artifact-backed deception or exfiltration found.

Install only if you want automatic task notes and recurring OpenClaw jobs. Use a dedicated Obsidian vault or Tasks folder, keep the loop disarmed unless needed, avoid putting secrets in task notes, and remove the five cron jobs plus any retained vault notes when uninstalling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill directs the agent to create and continuously update files in the user's Obsidian vault, but no explicit permission declaration or user-consent boundary is present. That creates an authorization gap where persistent local writes can occur implicitly, increasing the risk of unintended data modification or persistence.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill is presented as task memory plus a keep-alive loop, but its instructions describe broader autonomous behavior including multiple scheduled monitoring and recovery jobs and workflow maintenance. This mismatch is dangerous because users may approve a seemingly simple memory aid without realizing it establishes persistent automation that can keep acting on data and tasks after initial invocation.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The installer persistently alters the agent scheduler by creating five recurring jobs, including a direct fallback that writes to jobs.json when the CLI is unavailable. That behavior is security-relevant because it establishes ongoing autonomous execution beyond a simple one-time skill install, increasing attack surface and persistence if the prompts or skill are later modified.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The install instructions explicitly add five scheduled jobs that continue running automatically and are described as modifying and validating files in the user's Obsidian vault, but the surrounding guidance does not prominently warn users that these background tasks will persist until manually removed. This can lead to unexpected ongoing execution, token consumption, and continued file modification after initial setup, which is a real operational security and consent issue even if not overtly malicious.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The uninstall section includes a destructive recursive deletion command using rm -rf without an explicit caution to verify the expanded path before execution. While the intended target is a skill directory, destructive shell commands are risky in install docs because path mistakes, variable expansion issues, or user copy/paste errors can cause unintended data loss.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises automatic persistent note creation and scheduled watchdog/recovery behavior, but it does not clearly foreground that the skill will continue writing to the user's Obsidian vault and running autonomous background jobs after installation. This is a real security/transparency issue because users may not fully understand the ongoing side effects, which can lead to unintended data persistence, privacy exposure, or unexpected automated actions in their environment.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The instruction to create persistent notes for "any task" establishes an overly broad trigger that can capture unrelated, sensitive, or one-off interactions without context-sensitive limits. Broad activation increases the chance of unnecessary persistence, accidental scope creep, and writes during tasks where storage is inappropriate.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Telling the agent to use task memory "Always" reinforces an unconditional invocation rule that removes situational judgment and consent checks. In practice, this can cause persistence and file writes even for trivial or private requests, making the skill more likely to over-collect and over-retain information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs automatic creation and maintenance of files in a local vault without a user-facing warning that local data will be modified. Silent local writes are risky because they can alter personal knowledge bases, create persistent records unexpectedly, and expose users to integrity and privacy issues they did not knowingly accept.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script immediately creates directories and copies files into the user's OpenClaw environment without a confirmation checkpoint. Unprompted environment modification is risky for installer trust and can surprise users, especially in agent ecosystems where skills may be installed from untrusted sources.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The installer automatically schedules five recurring jobs without a dedicated warning or consent step immediately before enabling autonomous execution. In this skill's context, that is more dangerous because the feature intentionally creates persistent background behavior that may consume tokens, access data repeatedly, or continue operating after the user forgets it was installed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The prompt explicitly instructs the agent to create and modify files in `VAULT_PATH/Tasks/` (including `WATCHDOG.md`, `RESUME.md`, `CHECKLIST.md`, and `DOCS.md`) without any requirement for user awareness, confirmation, or an audit notice. Even though the scope is limited to the Obsidian vault, these are persistent state changes that can alter task records and agent behavior, so silent writes create integrity and transparency risks.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The prompt instructs the agent to create stub files and remove WATCHDOG.md as part of normal operation, but it does so without any explicit confirmation, dry-run mode, or warning that task files will be modified automatically. Even though writes are scoped to the Obsidian vault's Tasks directory, this still creates integrity risk: an agent could overwrite user-maintained notes, create misleading state, or delete watchdog markers without the user realizing changes were made.

Ssd 3

Medium
Confidence
96% confidence
Finding
The requirement to persist notes for every task and record status, decisions, gotchas, files, and restart context creates a broad retention channel for potentially sensitive user data. Because there are no minimization, redaction, or sensitivity boundaries, the skill can semantically store confidential project details, personal data, or secrets in long-lived files.

Ssd 3

Medium
Confidence
95% confidence
Finding
The update rules require immediate recording of discoveries and restart notes, encouraging ongoing accumulation of operational context in persistent storage. This is dangerous because sensitive intermediate findings, internal reasoning summaries, system paths, or user-provided confidential details may be written to disk without necessity or notice.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal