ClawHub

Cross Channel Memory

Security checks across malware telemetry and agentic risk

Overview

The skill does what it says, but it links identities and persists conversation memory across channels and agents without enough verification, consent, or path-safety controls.

Install only if you intentionally want shared identity and memory across channels and agents. Before use, require explicit user/admin approval for identity links, disable or constrain auto-create behavior, validate agent/account/session IDs, replace the hardcoded home path with a configured path, and define how users can inspect, delete, or opt out of stored memories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs use of shell commands plus reading and writing shared files under ~/.openclaw, but declares no permissions or guardrails. That mismatch is dangerous because it hides powerful capabilities from any permission-review layer and increases the chance of unauthorized filesystem access or unsafe execution in deployment.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file is presented as a lookup tool, but it also includes add_mapping(), which mutates the authoritative cross-channel identity store on disk. Mixing read and write/admin behavior into a lookup utility increases the chance that higher-level components invoke it with more privilege than intended, enabling unauthorized persistence of identity links and downstream memory exposure across channels.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The CLI exposes an --add mode that allows arbitrary binding of a channel user ID to any unified identity without any authentication, integrity checks, or proof of ownership. In a cross-channel memory system, a forged link could let an attacker associate themselves with another person's unified identity and gain access to that user's shared memories or cause data contamination.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly promotes global user mapping and cross-channel memory sharing across QQ, 飞书, and multiple agents, but provides no consent, minimization, access-control, or privacy-boundary guidance. This creates a real privacy/security risk because identity linking and shared memory can expose sensitive conversation history across channels and agents in ways users may not expect.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill is explicitly designed to correlate identities across QQ and Feishu and reuse memories across channels, yet it provides no user-facing consent, notice, or opt-in process. This creates a real privacy vulnerability because users may reasonably expect channel separation, and cross-context linkage can expose personal data beyond the scope in which it was originally shared.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script persists cross-channel identity mappings immediately to disk during add operations without any explicit warning, confirmation, or transaction safeguards. Because these mappings govern identity resolution and memory sharing, silent persistence can create durable privacy and authorization issues from accidental or unauthorized linkage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This function persistently writes raw conversation content, channel identifiers, user identifiers, and agent/account linkage into local memory files without any consent, minimization, retention control, or sensitivity filtering. In a cross-channel memory skill, that is especially dangerous because it links identities across platforms and can expose private conversations far beyond the user's expectations if the workspace is later accessed, synced, or reused by other agents.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The mapping file stores durable identity-linkage data connecting per-channel user IDs to a unified identity and agent account, then overwrites that file with no confirmation, audit trail, validation, or access-control checks. In this skill's context, that is highly sensitive because unauthorized or accidental updates can mis-link users across channels, causing privacy violations, memory poisoning, or disclosure of one person's history to another.

Ssd 3

High
Confidence
98% confidence
Finding
The document promotes unified storage and cross-channel querying of conversation history in plain language, enabling user-provided content from one channel to be disclosed in another. In this context, the feature itself expands the disclosure boundary and can leak sensitive information to agents or channels the user did not intend to involve.

Ssd 3

High
Confidence
99% confidence
Finding
The stated feature of automatically synchronizing writes to all associated agents is a broad data propagation mechanism. If one agent or workspace is less trusted or differently scoped, private conversation content can be replicated widely without user awareness, increasing exposure and breach impact.

Ssd 3

High
Confidence
97% confidence
Finding
The documented write flow stores user dialogue content and associates it with a unified identity, after which the skill indicates it will be synchronized to linked agents. That creates a concrete path for persistent storage and onward disclosure of user messages beyond the immediate conversation context.

Ssd 3

High
Confidence
99% confidence
Finding
The operational steps explicitly direct the system to sync stored user memory to every related agent, which is effectively bulk transmission of personal data. In a multi-agent environment, this magnifies the blast radius of mistakes, over-collection, and unauthorized access.

Session Persistence

Medium
Category
Rogue Agent
Content
将对话记录写入指定 agent 的记忆:

```bash
python3 ~/.openclaw/skills/cross-channel-memory/scripts/memory_sync.py write \
  --channel qqbot \
  --id "QQ_USER_ID" \
  --account coder \
Confidence
87% confidence
Finding
write \ --channel qqbot \ --id "QQ_USER_ID" \ --account coder \ --type user \ --content "我想学习 Python 编程" \ --timestamp "2026-03-13T08:30:00" ``` ### 步骤 4:读取记忆 使用内置工具读取记忆: ``` memory_sea

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal