ClawHub

Official Claude-Mem OpenClaw Memory Plugin

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real persistent-memory plugin, but it broadly records agent activity, persists it, and can forward observations to chat services, so it should be reviewed before use.

Install only if you want a third-party plugin to keep persistent records of agent work. Review the installer before running it, avoid passing API keys on the command line, keep the observation feed disabled unless you trust the destination, disable MEMORY.md syncing for sensitive repos, and make sure stored memory can be deleted or excluded from commits/backups.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation describes automatic forwarding of agent observations to external messaging channels without any clear warning about sensitive data exposure, consent, retention, or access control. Because observations are derived from tool usage and may include code, prompts, secrets, file contents, or operational details, this creates a real privacy and data exfiltration risk rather than a purely informational concern.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill states that a live MEMORY.md containing prior observations and summaries is automatically written into each agent workspace, but it does not clearly warn users that data will persist on disk across sessions. This can unintentionally expose sensitive operational history, prompts, outputs, or derived summaries to other tools, users, processes, backups, or later sessions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manual E2E section explicitly instructs testing with a real worker and real messaging channels, but it does not warn that live observations may be sent to external messaging services and real recipients. In a memory/observation plugin context, those observations could contain sensitive operational or personal data, so omission of a clear warning increases the risk of accidental data disclosure during testing.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
The installer deletes any existing plugin directory with rm -rf before reinstalling, without prompting for confirmation or creating a backup. In an installer intended to be run via curl | bash, destructive actions on user-owned config and extension paths are riskier because users may not have reviewed the script and may lose local modifications or data unexpectedly.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The manifest explicitly describes a live observation feed that streams observations to external messaging channels in real time, including recipient identifiers and optional bot credentials. In a memory/persistent-observation plugin, this creates a meaningful data exfiltration path for potentially sensitive session content, and the schema provides no visible constraints around consent, scoping, redaction, or channel allowlisting.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The invocation text is broad enough to activate on common requests like 'execute a plan' or 'run a plan', which can cause this orchestration skill to be selected in many contexts without strong scoping. Because the skill directs autonomous subagent deployment and execution of work, overbroad triggering increases the chance of unintended high-impact actions being initiated from ambiguous user requests.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The plugin writes MEMORY.md into the active workspace automatically, which can expose sensitive session-derived context to other tools, commits, backups, or collaborators without explicit user awareness. In an agent environment, silently materializing memory into the filesystem expands the data exposure surface beyond the local worker and can leak prompts, summaries, or internal context into source control.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Inbound message content from user channels is automatically forwarded to the worker, creating undisclosed collection and secondary processing of user communications. Even though the worker is bound to localhost, this still constitutes sensitive data transmission to another component and increases privacy risk if the worker logs, stores, or later republishes the content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Tool inputs and outputs often contain highly sensitive material such as file contents, credentials, internal paths, tokens, or proprietary data. Automatically sending them to the worker without explicit disclosure or filtering creates a substantial privacy and confidentiality risk, especially because this plugin is designed to persist and reuse that material as memory.

Ssd 3

High
Confidence
97% confidence
Finding
This section explicitly states that all agent tool activity is recorded into persistent memory and that each new observation can be forwarded to external messaging channels. In context, that means broad surveillance and secondary disclosure of agent actions, which can capture sensitive data and transmit it outside the primary execution environment.

Ssd 3

Medium
Confidence
90% confidence
Finding
Describing MEMORY.md as a full timeline of prior observations and summaries in each workspace indicates broad persistence of historical context that may include sensitive or proprietary information. Even if intended as a feature, storing that material in a regular workspace file increases the attack surface and likelihood of accidental disclosure.

Ssd 3

High
Confidence
98% confidence
Finding
The documentation says every tool use is sent to a worker and transformed into structured narrative memory, which materially increases data processing and persistence beyond the original tool execution. This is dangerous because tool inputs and outputs often contain credentials, private files, source code, incident data, or customer information that should not be broadly retained or reprocessed.

Ssd 3

High
Confidence
98% confidence
Finding
This plugin persistently collects user prompts, tool outputs, and assistant summaries, then exposes observations through search, recent-context commands, and an SSE feed that can forward messages to external messaging channels. In context, this is materially dangerous because the skill is a memory/observation pipeline: it centralizes sensitive conversational and tool data, broadens access to it, and can republish it outside the original trust boundary with little evidence of consent, filtering, or authorization checks per command.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal