ClawHub

Openclaw Skills Smart Agent Memory

Security checks across malware telemetry and agentic risk

Overview

This is a real local memory tool, but it needs review because it stores broad conversation data and can generate new agent skills in the live skills directory.

Install only if you intentionally want shared long-term local memory for agents. Set rules that prohibit storing credentials, secrets, regulated data, and sensitive personal details; review exports and session summaries before use; avoid scheduled backfill unless you want background retention; and manually inspect any generated SKILL.md before allowing agents to use it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The `extract` command extends a memory-management CLI into generating new skill artifacts from stored lessons, which materially changes its trust boundary and capabilities. In a long-term memory system, turning stored content into executable/operational agent skills is dangerous because remembered content may be untrusted or prompt-injected, and this feature enables persistence and reuse of that content in a more privileged form.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code writes extracted output directly into `~/.openclaw/skills`, a sensitive directory that affects future agent behavior. If memory content or lessons are attacker-influenced, this creates a persistence mechanism where untrusted data can become installed skills, potentially altering later runs or enabling prompt/code injection through trusted local artifacts.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The README advertises deletion, garbage collection, and export of all stored memory without prominently warning about irreversible data loss or exposure of sensitive stored content. In a long-term memory skill that persistently stores user-provided information, weak safety guidance can lead operators or agents to delete valuable records or export confidential data into less protected locations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The compressLogs function modifies and truncates user memory files in place based solely on size, which can destroy or alter important historical context without any explicit confirmation, dry-run mode, or user-visible warning. Although it creates an archive copy, the primary memory file is still rewritten automatically, and any downstream agent or user expecting the original content may silently operate on lossy data.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The store persists arbitrary memory content to multiple plaintext local files, including daily logs and per-skill Markdown files, without any consent flow, minimization, or access-control safeguards. In an agent-memory context, this can expose sensitive prompts, secrets, personal data, or operational context to other local users, backups, indexing tools, or later unintended reads.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
Lesson creation writes contextual data, outcomes, and insights directly to Markdown files on disk. Because this skill is specifically a long-term memory system for agents, those fields are likely to contain sensitive workflow details, internal reasoning summaries, or user data, making silent persistence more dangerous than in a generic note-taking tool.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Entity tracking stores names and attributes to structured JSON and human-readable Markdown without any privacy boundary or warning. In this skill's context, entities may represent people, decisions, or other sensitive records, so silent durable storage increases the risk of privacy leakage, unintended profiling, and later exfiltration by other components or users on the same system.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The `session-end` command persists arbitrary session summaries with only a generic success message, which can lead users or calling agents to store sensitive conversation content without meaningful notice or consent. Because summaries may contain credentials, personal data, or proprietary material, quiet persistence increases privacy and data-retention risk.

Ssd 3

Medium
Confidence
84% confidence
Finding
The workflow encourages agents to persist broadly defined 'important information' and user-requested memory with little discussion of sensitivity boundaries, minimization, or exclusion of secrets and personal data. In a memory skill, this materially increases the risk of retaining credentials, private conversations, regulated data, or other sensitive context that may later be searched, exported, shared across agents, or exposed through logs and archives.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill explicitly encourages frequent writing of 'key information', lessons, and conversation summaries into long-term memory, which can easily capture secrets, personal data, credentials, or sensitive business context in plain language. Because the storage is persistent, searchable, and designed for later retrieval across sessions and agents, accidental over-collection materially increases exposure and secondary-use risk.

Ssd 3

Medium
Confidence
97% confidence
Finding
The scheduled daily session check tells the agent to review prior conversations and backfill a session summary if memory entries did not grow, creating an automated pathway for broad collection of past dialogue into durable storage. This increases the chance that sensitive content from earlier chats is copied into searchable memory without contextual necessity, user awareness, or filtering.

Ssd 3

Medium
Confidence
87% confidence
Finding
`session-start` prints broad memory context, including recent facts, lessons, tags, and optionally full JSON, without scoping to least privilege or redacting sensitive entries. In an agent environment, this can expose unrelated historical memory into prompts, logs, terminals, or downstream tools, increasing data leakage and cross-session contamination risk.

Ssd 3

Medium
Confidence
90% confidence
Finding
The `session-end` path stores arbitrary summaries derived from conversations, making it easy to persist attacker-controlled or sensitive user-provided content into long-term memory. This creates both privacy risk and a prompt-injection persistence channel, since later retrieval may surface malicious instructions or confidential data back into agent context.

Ssd 3

Medium
Confidence
89% confidence
Finding
The `export` command emits the entire memory store as JSON in one response, enabling bulk disclosure of all accumulated facts, lessons, entities, and summaries. In this skill context, memory is likely to aggregate sensitive and cross-session data, so a single command substantially increases exfiltration impact if invoked by an untrusted agent flow or exposed interface.

Session Persistence

Medium
Category
Rogue Agent
Content
/**
 * Extract a lesson into a skill template.
 * @param {object} lesson - Lesson object from store
 * @param {string} outputDir - Where to write the skill (e.g., ~/.openclaw/skills/<name>)
 * @param {string} skillName - Skill name (slug)
 */
function extractSkill(lesson, outputDir, skillName) {
Confidence
78% confidence
Finding
write the skill (e.g., ~/.openclaw

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal