ClawHub

BeastXA Memory Pro

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a local memory helper, but its installer makes persistent global OpenClaw changes and scheduled background edits without enough user control or warning.

Review the installer before running it. Treat this as a persistent, global OpenClaw behavior change, not just a Markdown helper: confirm exactly which cron jobs and config entries it adds, how to disable them, and whether its memory rules exclude secrets, credentials, personal data, and private chat content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises and instructs file read/write behavior but does not declare corresponding permissions, which weakens user consent and platform enforcement around what the skill can access or modify. In this context, the skill manages persistent memory files and mentions config changes, so undeclared filesystem capabilities are materially relevant rather than incidental.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior exceeds the stated purpose by modifying the user's global OpenClaw configuration and creating cron jobs while claiming 'zero external dependencies' and implying a simple local Markdown-only setup. This mismatch can mislead users into granting trust or installing the skill without understanding that it persists changes outside the workspace and establishes ongoing automated execution.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The installer modifies the user's global OpenClaw configuration by adding compaction and memoryFlush behavior, which affects all agents rather than only this skill. That is security-relevant because it silently changes persistent agent behavior and can broaden data retention or alter future sessions beyond the local workspace scope described by the skill.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The installer creates persistent scheduled cron jobs in OpenClaw, which is broader than setting up local Markdown files and introduces autonomous future execution. Even if intended for maintenance, this creates ongoing behavior that can read and rewrite memory files without an explicit per-user approval step.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README directly instructs users to execute an installation script with 'bash scripts/install.sh' while presenting it as quick and automatic, but it does not warn that the script may make persistent system changes such as cron installation. In this skill's context, that omission is more dangerous because the advertised behavior explicitly includes daily and weekly scheduled maintenance, so users are being encouraged to run code that likely alters local automation state without clear disclosure at the point of execution.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The FAQ normalizes installation side effects by saying the skill 'only creates files and cron jobs' without clearly warning that cron jobs are persistent automation that will continue running and modifying local files after installation. In a memory-management skill, that ongoing behavior is expected, but failing to disclose persistence and recurring file changes can mislead users about operational risk and make unintended background modifications harder to notice or audit.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Describing weekly trimming and daily logging as normal maintenance without a prominent warning obscures that automated cron activity will repeatedly alter existing files. Even though the skill is framed as local-only and memory-focused, silent recurring modification of user-maintained Markdown can cause data integrity issues, surprise state changes, or difficulty attributing edits if users do not fully understand the automation model.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The quickstart tells users to run an installer that creates daily and weekly cron jobs, which are persistent system-level changes, but it does not clearly warn that scheduled tasks will be installed or require explicit informed consent before doing so. This is dangerous because users may execute the setup expecting a one-time local configuration step, while the skill silently establishes ongoing background behavior that can continue modifying files and consuming trust long after installation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script modifies ~/.openclaw/openclaw.json and creates scheduled cron jobs without an explicit warning or confirmation gate. Silent persistent changes are dangerous because users may believe they are installing a local memory helper while actually enabling global behavioral changes and autonomous recurring tasks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document promotes an installation flow that automatically creates daily and weekly cron jobs without clearly warning users that this will modify their scheduled tasks and cause recurring background execution. Even though the described behavior is local-only, silent persistence via cron can surprise users, create operational risk, and normalize unattended code execution from a third-party skill.

Ssd 3

Medium
Confidence
98% confidence
Finding
The compaction instructions explicitly retain the user's verbatim instructions and all non-tool user messages, which can capture secrets, personal data, or sensitive operational details far beyond what a memory system needs. This creates a durable data-retention surface that can later be exposed through prompts, summaries, or file access by the agent.

Ssd 3

Medium
Confidence
94% confidence
Finding
The memoryFlush prompt instructs the agent to store 'durable memories' into dated files but provides no sensitivity boundaries or exclusion criteria. In practice, that can cause the agent to persist confidential user content, secrets, or internal project details to disk during compaction, increasing long-term leakage risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal