ClawHub

Memory Mesh Core

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs Review because it can keep running, update installed skills, and publish memory-derived content externally.

Install only if you want a memory tool that may run on a schedule, update local skills, and share memory-derived summaries. Keep auto-update and automated posting disabled unless you trust the subscribed sources, have reviewed the generated JSON/Markdown outputs, and are comfortable with posts being made through your GitHub or browser identity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises substantial capabilities including filesystem access, shell execution, networking, scheduling, and outbound posting, yet the manifest shown does not declare permissions or present a clear capability boundary. This is dangerous because users and any permission-enforcement layer cannot accurately assess or constrain what the skill may do, especially given the presence of recurring execution and external communication.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior goes beyond memory consolidation into auto-updating subscribed skills, modifying scheduling, bootstrap sync on install, browser/OpenClaw posting, and growth-oriented promotion. That mismatch weakens informed consent and can conceal security-relevant actions that change the local environment or transmit data externally, making the skill materially more dangerous in context.

Context-Inappropriate Capability

Medium
Confidence
79% confidence
Finding
The script does more than configure a cron job: with --run-now it immediately executes the scheduled memory-mesh cycle, turning setup into active task execution. In this skill context, that is more sensitive because the scheduled message includes external issue-processing behavior and optional GitHub comment posting, so a user invoking setup may unintentionally trigger networked side effects right away.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script automatically installs or force-updates skills from external sources during a memory synchronization workflow, which expands its behavior from passive sync into remote code/package modification. In this context, that is dangerous because subscribed_skills and remote metadata can cause unreviewed code to be pulled into the local workspace, increasing supply-chain and unexpected-execution risk.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script creates and can immediately execute a browser-automation cron job that posts a public promotional comment to a skill page. That behavior exceeds the stated memory-management purpose and introduces an undisclosed external side effect: autonomous public posting on behalf of the user/workspace, which can be abused for spam, unwanted account actions, or reputational harm.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest advertises optional automated issue posting, but the implementation instead prepares a public comment on a ClawHub skill page promoting the skill. This mismatch is security-relevant because it conceals the real side effect from users and reviewers, undermining informed consent and making the automation more deceptive than advertised.

Context-Inappropriate Capability

Low
Confidence
92% confidence
Finding
The report embeds promotional call-to-action strings encouraging installation, starring, and referral activity unrelated to the core task of posting vetted contributions. In an agent skill, this creates incentive-shaping behavior and can nudge autonomous or semi-autonomous systems toward growth actions a user did not explicitly request.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README describes automatic remote querying, auto-updating local copies, and pulling external feeds without clearly warning users about privacy, integrity, and supply-chain risks. In a memory-sharing skill, these actions can expose locally derived data, import untrusted content, or change local behavior automatically, making the weak disclosure materially dangerous.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README provides GitHub export and posting commands for memory-derived content without prominently warning that data may be transmitted to a public external service. Given this skill processes cross-session memory, users may unknowingly publish sensitive operational details, internal context, or residual private information despite the stated filtering claims.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill describes optional automated GitHub posting and scheduled posting but does not give a strong, explicit warning that local memory-derived content may be sent to third-party services on a recurring basis. In a memory-sharing skill, that omission is especially risky because cross-session memory can contain sensitive operational context even if simple secret-pattern filters are present.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Automatic installation and forced updates occur without any user-facing warning, confirmation, or dry-run mode. In a skill intended for memory consolidation, silently modifying installed skills is risky because users may not expect package changes and could unknowingly import compromised or incompatible remote content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script inspects local GitHub authentication status and token scopes and returns that information in its output without any prior user-facing disclosure or consent prompt. In an agent-skill context, this is sensitive environment introspection because it reveals credential presence and permission level, which can aid profiling of the user's system and available GitHub capabilities.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script performs authenticated GitHub API calls using whatever local gh credentials are configured, but it does so without clear disclosure that running the self-check will contact GitHub and may reveal repository and account access information. In the context of an installable agent skill, undisclosed outbound authenticated requests increase risk because users may not expect local credentials to be exercised merely to validate contribution readiness.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script automatically extracts candidate text from workspace memory files and persists that content into several JSON and Markdown outputs under memory/memory_mesh without any consent, notice, or opt-in gate. Although it includes some secret/PII pattern checks, those checks are heuristic and incomplete, so sensitive internal notes, business context, or unrecognized secrets can still be replicated into additional files, increasing exposure and retention.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The script writes a detailed run summary to workspace-local disk without any runtime disclosure or consent prompt. That summary includes operational metadata such as issue URLs, execution results, and possibly error fragments propagated from child scripts, which can unintentionally persist sensitive workspace or environment details.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When --post-issue-comments is enabled, the script can publish contribution content to a public GitHub issue without any interactive confirmation or execution-time disclosure in this file. In a memory-sharing skill, that increases the risk of unintentionally exfiltrating locally consolidated data or derived summaries to an external service.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code assembles a message instructing OpenClaw to use browser automation to post a comment, then schedules it without any user-facing confirmation in the script. Because the action is public and account-affecting, lack of explicit confirmation materially increases the risk of unauthorized or unexpected posting, especially in agentic environments where skills may be run non-interactively.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script can publish GitHub issue comments as a side effect using local gh authentication, but the interface provides only a generic description and no strong affirmative confirmation before network posting. In agent contexts, hidden or weakly disclosed external writes are risky because they can cause unintended public actions, data disclosure, or spam if invoked automatically.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal