ClawHub

Rune - Self-Improving AI Memory

Security checks across malware telemetry and agentic risk

Overview

Rune appears to be a real memory tool, but it needs Review because it persistently changes agent workflow and can store or send more session/document context than users may expect.

Install only if you want Rune to become a persistent part of your OpenClaw workflow. Review the files it adds under ~/.openclaw/workspace, keep backups of HEARTBEAT.md and memory.db, avoid storing secrets or sensitive personal data, and force local Ollama extraction or unset OPENAI_API_KEY/ANTHROPIC_API_KEY before processing private documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (51)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and documents shell, network, environment-variable, and global installation behavior, but does not declare permissions. That creates a transparency and consent failure: users and hosting platforms cannot accurately assess or gate the skill's capabilities before install, especially since it modifies files, installs npm packages, and can use cloud APIs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior substantially exceeds the stated purpose of a memory system, including project autopilot, notifications, session analysis, file modification, global package installation, and external API-backed extraction. This mismatch is dangerous because it obscures the true attack surface and can mislead users into approving a skill with far broader authority and persistence than expected.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script performs a global npm install from the local package and explicitly states it may replace existing commands. Global installation broadens the blast radius beyond the project directory, can shadow preexisting binaries, and executes package installation hooks with user privileges, which is risky for an installer handling an AI memory tool rather than a system-level package manager role.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The script does appear to mitigate shell metacharacter injection by quoting the argument and stripping many special characters, but it still accepts attacker-controlled environment content and feeds it into privileged `rune` memory operations. In this skill’s context, that means an external party may be able to influence what gets recalled or persisted in the AI memory system, enabling memory poisoning, context manipulation, or retrieval of unintended session context even without classic shell injection.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script writes a workflow document that instructs users to recall memory before every response and to structure behavior around Rune, going beyond a simple memory utility into persistent behavioral shaping. In an agent setting, this increases the chance that unrelated or sensitive prior context will be injected into future interactions, creating cross-conversation data exposure and policy-drift risk.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This CLI substantially exceeds the stated scope of a memory/context system by adding project orchestration, notification routing, and self-improvement automation. In an agent-skill setting, unnecessary capability expansion increases attack surface and can enable unintended side effects, especially when the skill may be granted trust based on a narrower description.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The notification commands can classify, queue, and send messages to external or user-facing channels, which is a materially higher-risk capability than memory storage. If memory contents or generated summaries are routed outward, this can cause data exfiltration, spam, or unauthorized user contact.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Project/task orchestration is not inherently malicious, but it is outside the declared memory-system purpose and gives the skill operational influence over workflows. In agent environments, scope creep like this can lead to unintended autonomous behavior and abuse of trust or permissions granted for a simpler memory role.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The context command can write generated output to any user-supplied file path via --output, creating arbitrary file-write capability beyond pure memory retrieval. Even if intended for convenience, arbitrary writes can overwrite sensitive files or be abused by higher-level agent logic to modify local state unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The inject command also allows arbitrary file output, extending the tool from memory formatting into general filesystem modification. In a skill context, unnecessary file-write primitives are dangerous because they can be chained with other behaviors to persist data or alter unrelated files.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The top-level description presents the CLI as persistent fact-based memory, but the implementation includes many unrelated operational features. Misleading capability descriptions are dangerous because reviewers and runtime policy systems may grant access based on an incomplete understanding of what the skill can actually do.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This code sends full document or transcript content to external model providers (OpenAI/Anthropic) for fact extraction, which is a real data exfiltration/privacy risk for a memory system handling potentially sensitive user conversations and notes. The danger is amplified because the skill is explicitly designed to extract durable personal facts, so highly sensitive content may be transmitted off-box without any minimization or consent gate in this path.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The digest feature aggregates notifications, facts, project activity, and performance events into a consolidated report, which expands the skill from passive memory management into broad activity surveillance/reporting. In a memory-system context, this increases the chance that sensitive operational or personal data is collected and later redistributed without explicit scoping or consent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This code actively routes and sends message contents over outbound channels such as DM, Discord, and email based on automatic classification. For a stated self-improving memory system, that communication capability is broader than necessary and can exfiltrate stored or inferred sensitive content to external destinations without strong authorization boundaries.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The batch send path groups queued notifications and transmits them to Discord, adding a persistent external communications mechanism that is not justified by the declared memory-only scope. Because batching combines multiple messages, it can increase the volume and sensitivity of data disclosed in a single outbound event.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The module persists raw message samples alongside inferred style, mood, urgency, topics, and session history, creating a durable behavioral profile not strictly required for basic session intelligence. In a memory/context-injection skill, storing full natural-language samples and retaining longitudinal interaction data increases privacy exposure, insider misuse risk, and impact from any later database compromise.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
`getSessionPatterns` and `generateInsights` infer preferred interaction style, common moods, frequent topics, and active hours, which amounts to user profiling and behavioral pattern analysis. Even without direct code execution risk, this can expose sensitive behavioral traits and create secondary-use privacy harms if the data is accessed by other components or leaked.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide explicitly recommends storing personal preferences and system configuration details in a persistent memory system, but gives no guidance on sensitivity classification, consent, retention, or access control. In a self-improving memory skill whose purpose is broad context injection and reuse, this creates a realistic risk of accumulating sensitive data that may later be surfaced to the wrong user, agent, or workflow.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup script silently creates executable hooks and documentation under the user's workspace and also installs a helper that appends usage data to /tmp/rune-usage.log during use. These persistent filesystem changes are made without clear opt-in, dry-run output, or a detailed warning about what files will be created, which is risky for security-sensitive agent environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest configures automatic session start and end hooks that execute shell scripts, but the user-facing warnings do not clearly disclose that code will run automatically on every session boundary or what system and data effects may result. In a skill centered on memory, context injection, and workflow integration, silent automatic execution materially increases the risk of unauthorized persistence, data collection, prompt manipulation, or environmental changes without informed user consent.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The cross-session analysis logic aggregates session metadata, behavior events, and message samples to derive patterns and insights, but there is no evidence in this file of consent checks, notice, redaction, or access control before processing potentially sensitive user interaction history. In a memory system explicitly designed for adaptive learning and context injection, this increases privacy risk because the feature can profile users across sessions and surface raw examples such as message_sample.

Missing User Warnings

Low
Confidence
72% confidence
Finding
The decision changelog function returns full audit-trail records and groups them by key, with optional substring filtering, but this file shows no authorization, scope filtering, or disclosure controls around access to that history. In a persistent memory skill, changelog data can reveal prior decisions, internal state evolution, and sensitive fact keys, so unrestricted retrieval can expose more historical context than a user may expect.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code automatically creates persistent project records when a project name is queried, which means a read-like operation silently mutates local state. In an agent context, undisclosed persistence can create covert memory, unexpected retention of user/workspace data, and auditability problems because merely inspecting a project leaves durable traces.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This update path writes blockers, tasks, project metadata, and activity logs to the database with no visible user confirmation, policy check, or permission boundary. In a self-improving or memory-oriented skill, silent writes are dangerous because they allow the agent to accumulate and reshape persistent operational state without the user's awareness, potentially influencing future behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Writing context output directly to a user-specified file without overwrite warnings or confirmation creates a destructive local action with little friction. An agent or user can accidentally clobber important files, and the absence of guardrails makes misuse more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal