ClawHub

Openclaw Skill Super Memory

Security checks across malware telemetry and agentic risk

Overview

This skill needs review because it persistently changes agent instructions across discovered workspaces and tells agents to save user habits and create scripts automatically.

Install only after reviewing the exact AGENTS.md block it will add and confirming you want all configured agents to follow it. Prefer running it in a test workspace first, and avoid using it where agents may handle sensitive personal, business, or credential-adjacent information unless you add explicit approval rules for MEMORY.md, TOOLS.md, and script creation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The install instructions direct a system-wide change affecting all running agents, which is substantially broader than the stated function of improving memory or packaging a skill. Broad propagation increases blast radius: a single install can silently alter multiple agents’ behavior and create persistent instruction injection across environments.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The installer injects persistent operating instructions into AGENTS.md that go beyond simple memory maintenance and explicitly compel autonomous script creation and TOOLS.md modification. This expands the agent's authority and behavior surface in a way that can lead to unsupervised code generation, persistence, and execution pathways across future sessions.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script enumerates all agent workspaces from openclaw.json and patches each discovered AGENTS.md, giving it broad cross-workspace reach unrelated to a minimally scoped memory feature. In skill context, this increases blast radius substantially because one installer run can alter multiple agents' future behavior and persistence settings at once.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This script performs network-affecting release actions by automatically committing local changes, pushing to GitHub, creating tags, and publishing externally to ClawHub. For a skill described primarily as long-term memory evolution, this is a scope expansion that can exfiltrate repository contents or propagate unintended changes if triggered in an automated agent context.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script uses execSync to run shell commands for git operations and external publishing, giving the skill direct capability to modify repository state and communicate with remote services. Even though the interpolated version comes from package.json, the larger issue is that a memory-management skill contains powerful command-execution and publishing functionality that could be misused or accidentally invoked in environments with credentials configured.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly instructs users to run an install script that scans configuration and modifies all active agents' `AGENTS.md` files, but it does not clearly foreground that this is a bulk prompt-patching operation with durable side effects. In the context of a skill that injects self-improvement and autonomous memory/skill-creation behavior into agent prompts, insufficient disclosure materially increases the risk of users applying invasive changes they do not fully understand.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs autonomous writes to MEMORY.md and TOOLS.md without warning the user that persistent workspace files will be modified. This is risky because it normalizes silent state changes, can store sensitive or incorrect information, and may introduce unauthorized workflow changes that affect later sessions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The install command invokes a Node script that can patch agents system-wide without any scope, privilege, or impact warning. An installer with hidden breadth can be abused to propagate unsafe instructions, create persistent modifications, and surprise users who expect only local setup behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer writes modified AGENTS.md content directly without an interactive confirmation or clear pre-change summary. Silent mutation of agent instruction files is dangerous because it hides persistent behavioral changes from the operator and makes unauthorized or accidental policy expansion harder to detect.

Natural-Language Policy Violations

High
Confidence
88% confidence
Finding
The injected content is written in Vietnamese and uses mandatory language such as 'BẮT BUỘC', effectively imposing a specific locale and instruction framing on all patched agents without user choice. This can alter agent usability, operator comprehension, and downstream behavior, especially where maintainers do not read the injected language well enough to audit the change.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The package description explicitly advertises autonomous long-term memory updates and self-evolving skill synthesis, but it does not define boundaries, triggers, or operator approval requirements. In an agent skill ecosystem, vague autonomous behavior increases the risk of unintended persistence, hidden state manipulation, and unsafe self-modification because users and orchestrators cannot reliably predict when the skill will act.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest description fails to warn that the skill can modify persistent memory and autonomously synthesize or evolve skills, which are high-sensitivity capabilities in an agent environment. Without a clear warning, users may install or invoke the skill without understanding that it can create durable state changes and potentially expand its own capabilities over time.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill directs the agent to persist user behavior and system-derived information into long-term memory by default. This creates privacy and data-governance risk because sensitive preferences, workflow details, or internal system information may be retained without minimization, review, or consent.

Ssd 3

Medium
Confidence
94% confidence
Finding
The self-reflection loop explicitly tells the agent to remember user habits and store them in persistent memory. Persisting inferred user habits is dangerous because it enables behavioral profiling, may capture sensitive patterns unintentionally, and can influence future actions based on data the user did not knowingly authorize to retain.

Ssd 3

High
Confidence
97% confidence
Finding
The instructions require the agent to automatically persist user preferences, habits, and session-derived details into MEMORY.md. This is a privacy and data-governance risk because it encourages collection and long-term retention of potentially sensitive personal information without clear consent, minimization, or retention controls.

Ssd 3

High
Confidence
96% confidence
Finding
The self-reflection loop explicitly tells the agent to record what it learned about the user into persistent storage, reinforcing ongoing behavioral profiling across sessions. In this skill context, that makes the risk more serious because the installer embeds the collection behavior into the agent's operating instructions, turning ad hoc memory into a persistent default.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal