ClawHub

Ask To Remember

Security checks across malware telemetry and agentic risk

Overview

This preference-memory skill appears purpose-aligned, but it persistently changes future agent behavior and stores local preference logs without strong user-controlled boundaries.

Install only if you want the agent to proactively ask preference questions and reuse the answers in future sessions. Before installing, be comfortable with changes to AGENTS.md or ~/.openclaw hooks and with local files such as MEMORY.md, atr-state.json, and atr-log.jsonl storing preference history. Avoid answering with sensitive information, and review or remove those files and hook entries if you want to disable or reset the behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill’s manifest presents it as a lightweight, non-blocking follow-up mechanism, but the implementation adds persistent state management, memory writes, logging, and bootstrap prompt injection. This mismatch is security-relevant because it hides materially broader behavior from reviewers and users, increasing the chance that persistent data collection and host modification occur without informed approval.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This section instructs the agent to persistently modify host configuration/prompt files despite the skill being described as only appending a brief question to a response. Persistent prompt injection into AGENTS.md changes future agent behavior across sessions, which is a materially more powerful capability than the declared purpose and can bypass normal review expectations.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documented behavior creates and maintains durable state, memory, and logs for user interactions, which exceeds the narrowly scoped description of asking one low-friction follow-up. Even if intended for product functionality, this expands data retention and attack surface by storing interaction outcomes and inferred preferences across sessions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill includes instructions to install user-level hooks and copy files into a managed hooks directory, creating startup-time persistence unrelated to merely asking a preference question. Hook installation can alter agent behavior on every future run and is especially dangerous because it establishes durable execution paths outside the immediate skill invocation.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The hook documentation describes injecting ask-to-remember logic and Phase B resolution rules into every main-session agent bootstrap, which materially broadens the skill from an opportunistic one-question follow-up into persistent prompt-level behavior. Prompt-wide injection increases the chance the skill runs outside its intended narrow scope, creates hidden behavioral coupling, and can cause unsolicited memory-capture behavior across unrelated interactions.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
Saying main-session-only behavior is enforced by prompt rather than code means the key safety boundary depends on an instruction layer that can be bypassed, omitted, or conflicted by other prompts or integrations. Because this skill is designed to capture user memory, failure of that boundary could lead to memory solicitation in shared or inappropriate contexts, creating privacy and policy violations.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger criteria are broad enough that the skill may activate in many ordinary conversations whenever there is a plausible reusable gap. In context, that broad scope increases the volume of preference probing and persistent collection, making privacy overreach and unnecessary state accumulation more likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The hook injects operational instructions that direct the agent to write to MEMORY.md, atr-state.json, and atr-log.jsonl during bootstrap, but there is no accompanying disclosure or user-facing consent mechanism in this code path. Because the skill is specifically about persisting user preferences across conversations, silently adding file-writing behavior increases privacy and transparency risk, especially when memory capture is non-obvious to the user.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill is explicitly designed to persist user preferences and interaction metadata across conversations, including asked questions and outcomes. In context, this is risky because even non-sensitive preference capture can accumulate into a behavioral profile, and the manifest does not foreground the full retention and logging implications.

Ssd 3

Medium
Confidence
92% confidence
Finding
The injected prompt instructs the agent to extract reusable facts from replies and write them to MEMORY.md while also recording outcomes in logs. Because this logic is inserted into the agent’s standing instructions, it can silently normalize ongoing cross-session collection and make future memory writes happen automatically without fresh scrutiny.

Session Persistence

Medium
Category
Rogue Agent
Content
将 `hooks/openclaw/` 目录下的文件复制到 managed hooks 目录:

```bash
mkdir -p ~/.openclaw/hooks/ask-to-remember
cp hooks/openclaw/HOOK.md hooks/openclaw/handler.js ~/.openclaw/hooks/ask-to-remember/
```
Confidence
96% confidence
Finding
mkdir -p ~/.openclaw/hooks/ask-to-remember cp hooks/openclaw/HOOK.md hooks/openclaw/handler.js ~/.openclaw

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal