Security audit

Clawhub Skill

Security checks across malware telemetry and agentic risk

Overview

This is a real memory engine, but it exposes and processes sensitive personal memory too broadly for the way it is described.

Install only after reviewing the privacy and exposure tradeoffs. Use it in an isolated environment first, bind the API to localhost or firewall it, avoid storing sensitive memories, leave remote LLM/CLI features disabled unless needed, rotate/remove the benchmark API key if you publish or fork it, and regularly inspect/delete data under the cc-soul and OpenClaw data directories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (400)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises capabilities that imply access to environment variables, network communication, and shell execution, yet declares no corresponding permissions. This creates a trust and sandboxing gap: users and hosts may under-estimate the skill's reach, while the documented startup flow and optional LLM integration show realistic paths to local process execution and outbound requests. In a memory-oriented skill handling sensitive conversations, undeclared capabilities materially increase risk.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The README presents the service as a minimal two-endpoint memory engine, but elsewhere documents substantially broader assistant behaviors such as reminders, goals, dashboards, persona switching, and proactive interventions. This scope mismatch can mislead users and integrators about what capabilities are active, which increases the risk of unintended data handling or agentic behavior being enabled without informed consent.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The manifest frames the package as a memory engine, but the README advertises broad life-assistant and agentic functions unrelated to passive memory storage. That discrepancy undermines informed deployment decisions and may cause operators to grant trust, permissions, or data access under an incomplete understanding of the system's behavior.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The documentation claims 'Nothing ever leaves your machine. No telemetry,' yet the same README documents optional remote LLM providers such as OpenAI, DeepSeek, and Anthropic. Even if optional, this absolute privacy claim is materially misleading because user memories or queries may be transmitted off-device when LLM features are configured.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The benchmark states 'External API calls: 0 (pure algorithm)' while the product also promotes optional remote LLM integrations. Although this may describe a benchmark configuration, the lack of qualification can mislead users into believing the product never makes remote calls, creating privacy and compliance risk.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The module marketed as a local memory engine conditionally invokes an external LLM/CLI to translate seed words and generate synonym tables, which expands the trust boundary beyond local processing. This is dangerous because user-derived content is sent to another subsystem/process without an obvious consent gate here, creating privacy and data-flow risks inconsistent with the stated capability.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The recall path conditionally escalates to an external CLI/LLM when local retrieval is weak, even though this file belongs to a memory engine. That creates an undeclared trust-boundary crossing: raw user query content is sent to another component/process, which can violate least privilege and surprise operators who expect purely local memory lookup.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The code calls spawnCLI during recall, meaning a user query can trigger an external process invocation in a high-frequency code path. Even if the current prompt string is hardcoded, this expands the attack surface from in-memory retrieval to process execution and any downstream CLI/plugin behavior, which is disproportionate for a memory engine and can enable data leakage or unsafe side effects.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The code does more than maintain memory: it constructs prompts that explicitly generate replies as a specific person, using learned relationship, emotion, memory, and style data. This enables impersonation and deceptive communication, which is materially riskier than the skill metadata’s 'memory engine' description suggests.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: This section prompts an LLM to infer 'deep soul' attributes such as regrets, hidden feelings, fears, values, and contradictions from ordinary chat messages, then stores them as memories. That exceeds a generic memory function and creates sensitive psychological profiling with significant privacy and misuse risk.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code extracts social relationships, contact context, and personality-related vocabulary from user messages and stores them in persistent profiles. This is broad interpersonal profiling not required for a basic memory engine and can expose sensitive social graphs and behavioral traits if misused or breached.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The prompt says the model is 'not imitating' or 'roleplaying' but 'becoming' the person, even though the surrounding code is clearly constructing a persona simulation. That framing increases deception risk by encouraging the system to suppress uncertainty and present synthetic responses as authentic human identity.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The benchmark supports an LLM mode that sends recalled conversation memories and questions to third-party providers, which materially expands the skill's data-handling and trust boundary beyond a local 'memory engine'. In a benchmark file this may be optional, but it still creates a real exfiltration path for conversation content and can mislead users who assume the project is purely local/offline.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code returns a built-in API key when no provider-specific environment variable is set, embedding credential material directly in source and enabling outbound use of an unrelated external service. Hardcoded secrets are unsafe because anyone with source access can reuse the key, incur cost, or abuse the linked account, and users may unknowingly trigger third-party requests.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The benchmark hard-codes a very large corpus of highly specific personal-profile records, including work, family, health, finances, and relationships, and then processes them as if they were normal benchmark inputs. Even if synthetic, this normalizes handling of richly identifiable personal data in code and creates a strong risk of accidental reuse with real data, repository leakage, or downstream exposure in logs and test artifacts.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The benchmark explicitly exercises recall over sensitive categories such as medical conditions, medications, income, assets, family members, pregnancy, and relationship status. In a memory-engine context, this is more dangerous because it tests and thereby encourages retention and retrieval of the exact classes of data that are most privacy-sensitive and high-value for profiling, social engineering, or misuse.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The code reads an Anthropic API key from an external config source outside the primary declared configuration path, creating a hidden credential dependency and an undeclared outbound provider path. This increases the chance that users or integrators unknowingly send prompts to Anthropic using ambient credentials present on the host.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The compression routine pulls per-user profile data from person-model.ts and uses topDomains to bias what content is retained. That expands the module from generic context compression into profile-based personalization, creating a privacy and scope-creep issue: sensitive inferred interests can influence processing without being obvious from the module interface or stated purpose. In a memory engine skill, this is more concerning because the surrounding system likely handles large amounts of persistent user context, making hidden cross-feature data use easier to miss and harder to audit.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The code sends an owner-directed DM when self-checking flags a low-quality response, and the message includes derived information about the just-produced answer. Even if it does not include the full raw conversation here, it creates an undisclosed out-of-band reporting channel from user interactions to a third party, which is a privacy and data-governance risk in an agent skill.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: `afterTurn()` unconditionally calls `killGatewayClaude()` after every turn, forcibly terminating an external gateway/process regardless of context. This creates a built-in denial-of-service primitive that can disrupt availability, interfere with other integrations, and produce unsafe side effects if the gateway is shared or expected to remain running.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The code parses file paths directly from user messages, checks existence, and reads those local files into the generated context. This enables unintended local file exfiltration from any path the process can access, which is especially dangerous because the skill is described as a memory engine rather than a file-inspection tool, so users and integrators are unlikely to expect this behavior.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The async context builder automatically fetches URLs found in user input and incorporates page content into context. This creates an unexpected outbound network capability that can leak metadata, contact attacker-controlled servers, and be abused for SSRF-style access to internal resources depending on the runtime environment.

Context-Inappropriate Capability

High

Confidence: 93% confidence
Finding: The code launches a local grep subprocess over the current working directory based on symbols inferred from user input. Even though execFileSync avoids shell injection and the symbol is sanitized, this still grants the skill an undisclosed capability to enumerate and extract snippets from the local codebase, potentially exposing sensitive source, secrets, or proprietary logic.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: This module goes well beyond a neutral 'memory engine' and derives behavioral and psychological traits such as stress, cognitive load, unspoken needs, growth trajectory, and say/do inconsistencies from chat history. That creates a sensitive profiling capability not clearly disclosed by the skill metadata, and the generated context is explicitly used to steer future responses and interventions, increasing privacy and manipulation risk.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code infers sensitive mental-state indicators from message length, stress words, punctuation, late-night activity, and interaction cadence, then computes phases like 'accumulating' and predicts 'turnsToBreakdown'. In a general memory assistant context, this is dangerous because it creates unsupported psychological inferences and can bias downstream model behavior toward covert emotional intervention or harmful misclassification.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal