ClawHub

Memory Sync

Security checks across malware telemetry and agentic risk

Overview

The skill broadly matches its memory-sync purpose, but it can gather private agent history/config files and push generated memory data through Git, so it belongs in Review before install.

Install only if you are comfortable with local agent conversations, profile/rule files, skill inventories, and generated memory summaries being copied into an Obsidian vault. Before using Git sync, review the generated files, use a private repository, and consider setting GIT_PUSH_ENABLED=false. Avoid conversations scan --all and ingest --project on untrusted repositories unless you understand the data and execution exposure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)

    def run_in_dir(self, cwd: Path, args: list[str]) -> subprocess.CompletedProcess[str]:
        return subprocess.run(
            args,
            cwd=str(cwd),
            text=True,
Confidence
83% confidence
Finding
return subprocess.run( args, cwd=str(cwd), text=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, )

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill aggregates local agent configs, rule files, and memory sources into a synthesized user profile and shared context. That materially expands collection beyond conversation sync and can expose sensitive preferences, project metadata, private rules, and potentially secrets from local configuration into Obsidian/Git outputs, increasing privacy and exfiltration risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code inventories installed skills across multiple agent ecosystems, including user, system, plugin cache, AppData, and extension directories, then copies metadata and local paths into vault outputs. This broad host enumeration can disclose installed tooling, filesystem layout, and private local capabilities unrelated to the stated sync task, and may later be committed or shared.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
Autopilot can automatically invoke sync flows that culminate in git commit and optional push, which can publish generated memory, profile, and inventory artifacts without an interactive confirmation step. In this skill context, those artifacts may contain cross-agent context and local metadata, so automatic publication is more dangerous than a normal developer convenience feature.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly promotes archiving local agent conversations and generating an evidence-backed user profile, but it does not warn that these inputs can contain highly sensitive material such as credentials, private messages, API keys, proprietary code, health data, or personal preferences. In the context of a cross-agent memory system, omission of privacy and sensitivity guidance increases the likelihood that users will ingest and persist sensitive data into Obsidian, Git history, and downstream exports without informed consent or redaction.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README states that memory assets can be synced through Git/GitHub without warning that stored memories, conversation archives, profiles, and context exports may contain private or regulated data. Because Git creates durable history and GitHub may involve remote replication and broader access, users could inadvertently exfiltrate sensitive information to repositories where removal is difficult and prior commits remain recoverable.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The generic auto-retrieval template uses very broad triggers like memory, context, history, previous, and common Chinese equivalents. In practice this can cause the skill to activate during ordinary conversation and pull or expose archived data when the user did not intend a memory lookup.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The OpenClaw example similarly recommends a large trigger-word list overlapping with everyday speech, increasing accidental invocation risk. Because the skill is designed to search retained conversation and profile data, unintended activation can surface sensitive historical context unnecessarily.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The default prompt advertises a very broad set of actions including syncing memory, importing candidates, exporting context from multiple tools, searching, and Git sync, without clear trigger boundaries or consent requirements. In a skill that handles cross-agent memory and archive data, this increases the chance of unintended invocation or overbroad execution that could copy, expose, or modify sensitive user data beyond what the user expected.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill description and default prompt describe syncing, exporting, indexing, and Git version sync across multiple conversation archives, but they do not warn the user that these actions may move sensitive conversation history into other storage systems or repositories. Because the skill's purpose is large-scale memory aggregation and export, the missing warning materially increases the risk of privacy breaches, accidental retention, and unintended publication of sensitive data.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes very broad, common words such as 'remember', 'memory', 'previous', 'context', and equivalent terms in multiple languages. In a memory-sync skill, this can cause unintended activation during ordinary conversation, potentially exposing or syncing sensitive history when the user did not explicitly request it.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The project handoff path executes subprocesses against an arbitrary target project to probe commands and git state without a prominent warning or confirmation. That creates an unnecessary code-execution surface on untrusted repositories during what should be a read-only summarization workflow.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Git sync stages files, commits them, and may push to a remote automatically, with no in-code confirmation prompt. Because this skill collects memory, profiles, local paths, and agent metadata, an accidental or policy-triggered push could leak sensitive information to remote repositories.

Ssd 3

High
Confidence
96% confidence
Finding
These instructions centralize daily memories, agent knowledge files, conversation archives, dashboards, and exported context into shared human-readable outputs. That design materially increases the risk of semantic data leakage because sensitive content from multiple tools and agents is copied into a broader, searchable surface area.

Ssd 3

High
Confidence
95% confidence
Finding
The review workflow explicitly encourages retaining evidence and promoting preferences, constraints, path changes, and even credential-related changes into durable memory/context layers. Even if intended as productivity memory, this can transform transient sensitive details into persistent, searchable artifacts that are later exposed through dashboards, context exports, or git sync.

Ssd 3

High
Confidence
96% confidence
Finding
The handoff and conversation-ingest instructions tell agents to capture session state, failed attempts, files changed, preferences, constraints, and local archives, then refresh shared context outputs. This creates a broad exfiltration path from local chat histories and agent state into centralized stores that may be more widely readable or synchronized via git.

Ssd 3

Medium
Confidence
91% confidence
Finding
Copying rule files, config files, and skill inventories from multiple agents into centralized personal knowledge stores can expose local configuration, filesystem layout, embedded tokens, or sensitive instructions. The aggregation itself increases discoverability and blast radius even if the original files were only locally accessible.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal