ClawHub

OpenClaw Memory System

Security checks across malware telemetry and agentic risk

Overview

This memory skill is useful and mostly disclosed, but it needs Review because it automatically stores conversation data while also adding under-scoped external embedding, local API, and autonomous payment features.

Install only after reviewing the privacy and payment behavior. Prefer local embeddings, avoid storing secrets, do not give an agent a funded wallet for this skill without strict human approval and spending limits, and keep the dashboard/API off exposed networks until authentication and stronger access controls are added.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (44)

Lp3

Medium
Category
MCP Least Privilege
Confidence
75% confidence
Finding
The skill advertises capabilities that imply shell, environment, and network access, yet no permissions are declared in the manifest. This weakens user consent and review because operators cannot easily tell that the skill may execute commands, access environment variables, or communicate externally, which is especially sensitive for a memory system handling user facts and preferences.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The stated purpose focuses on persistent memory, but the described behavior also includes a web dashboard, payment flows, subscription/license enforcement, and optional third-party embedding API calls. This mismatch can mislead users about the true attack surface, particularly because a memory skill may process sensitive data and then expose it via HTTP endpoints or transmit it to external providers.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The document introduces autonomous payment capability as part of a memory skill, which is a materially different and higher-risk capability than persistence or search. Blending financial actions into a non-financial skill increases the chance an agent or operator enables wallet spending without understanding that the skill can trigger irreversible transactions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The integration example instructs autonomous agents to evaluate, initiate, and verify blockchain payments from their own wallets based on local heuristics. In the context of a memory tool, this is dangerous because it normalizes self-directed spending and can cause unauthorized or poorly governed fund transfers for a feature upgrade unrelated to the core memory function.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The documentation admits the MVP trusts user-reported transaction hashes rather than independently verifying payment on-chain, yet frames the flow as payment verification. This permits fraudulent activation of paid features, license abuse, and unreliable financial state because a supplied tx hash may be invalid, unrelated, or not sent to the intended recipient.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The implementation summary shows the skill includes payment processing, license granting, and subscription management in addition to memory functionality. This is dangerous because it materially expands the trust boundary and attack surface beyond the declared purpose of a memory skill, increasing the risk of hidden monetization logic, wallet handling issues, and unauthorized financial workflows.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The codebase description includes licensing, payment verification, and revenue/statistics features that are not justified by core memory management. In context, this is dangerous because a memory skill gains authority over wallet-linked subscription state and financial logic, creating unnecessary exposure to fraud, abuse, and deceptive functionality hidden inside a seemingly unrelated capability.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The README makes a strong privacy claim that 'nothing [is] sent to external servers,' yet the documented default embedding provider is OpenAI, which necessarily sends text to a third-party API unless local-only mode is selected. This mismatch can cause users to unknowingly expose sensitive conversation-derived memory content, including preferences, facts, and potentially secrets, under false assumptions about data locality.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This migration adds payment-processing tables and support for agent wallet addresses, transaction hashes, verification state, and tier-granting logic, which materially expands the skill beyond its declared long-term memory purpose. In a memory-focused skill, introducing autonomous payment infrastructure increases attack surface and enables monetization or external-value transfer capabilities that are not justified by the stated functionality, making abuse or hidden billing behavior more dangerous.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The schema explicitly describes enabling AI agents to autonomously pay for a Pro tier, storing agent_wallet values and tracking pending and completed transactions. Autonomous payment capability is highly sensitive and unjustified in a memory skill, because it introduces the possibility of unauthorized purchases, covert monetization, and financial abuse in a context where users would reasonably expect only persistence of preferences and facts.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The package metadata advertises capabilities beyond the stated memory purpose, including x402 payments and agent-economy features. In a skill that persists user context across sessions, hidden or expanded monetization/payment functionality increases attack surface and creates a trust and scope mismatch that could lead to unexpected network, billing, or data-handling behavior.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code explicitly extracts and stores information from agent responses via extractFromResponse(), including code blocks and structured lists. In a long-term memory skill, this expands retention beyond user preferences into potentially sensitive assistant-generated content, which can include secrets, proprietary snippets, or prior-context data that was never meant to become persistent memory.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This CLI exposes license checking and paid subscription flows that are outside the core stated purpose of a memory skill. Expanding a memory component into billing and entitlement management increases attack surface and can mislead users into sharing wallet and payment details with a tool they expected only to store/retrieve memory.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The payment workflow is not necessary for basic memory functionality yet prompts the user to send funds and verify a transaction. In a skill context, bundling monetization with operational commands creates phishing-like risk, especially because users may trust the skill to handle only memory and not financial operations.

Description-Behavior Mismatch

High
Confidence
72% confidence
Finding
This file persists payment requests and transactions inside a skill advertised as long-term memory, materially expanding the trust boundary and the sensitivity of stored data. In agent ecosystems, undisclosed payment handling increases risk because downstream integrators may grant the skill access intended only for memory functions, enabling unintended financial workflow coupling or misuse if surrounding authorization is weak.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The skill exposes autonomous crypto payment request and verification flows inside a memory component, which increases risk because an agent can initiate or complete financial actions without strong user consent boundaries. In this context, hidden or weakly governed payment capability is especially dangerous because it is unrelated to the advertised long-term memory purpose and may surprise operators or users.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code grants paid Pro access based on `verifyTransactionOnChain`, which in practice accepts any sufficiently long transaction hash and does not verify recipient, amount, token, chain, or confirmations. An attacker can therefore fabricate a fake hash to obtain paid features for free, undermining authorization and billing integrity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document encourages agent-driven payment flows near the top without a clear, prominent warning that use of the feature can initiate irreversible financial transactions and disclose wallet/transaction metadata. That weak disclosure increases the chance operators misunderstand the risk envelope and deploy the skill with overly broad permissions.

Missing User Warnings

High
Confidence
96% confidence
Finding
The example automatically upgrades when memory usage thresholds are hit, effectively authorizing spending based on application metrics rather than explicit user consent. In an autonomous-agent context, this is particularly dangerous because it can turn normal resource monitoring into automated financial execution without operator awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that it injects memories into every request and extracts/stores memories after each response, but does not warn users that conversation content may be automatically collected and persisted across sessions. In a memory skill, this is especially dangerous because the core context involves potentially sensitive personal, behavioral, or business information, making silent retention and reuse a meaningful privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Automatic pruning and deletion without clear warning can cause silent data loss, especially in a long-term memory system where users may rely on persistence for continuity across sessions. Because deletion is part of the core data lifecycle here, failing to disclose retention limits and pruning behavior can lead to unexpected loss of important stored context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The summary advertises automatic memory extraction and permanent storage but provides no explicit warning, consent model, or privacy notice about long-term retention of user facts and preferences. In a cross-session memory skill, this is especially dangerous because users may unknowingly have sensitive personal or contextual data persisted, searched, and re-injected into future conversations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README describes automatic extraction of facts, preferences, patterns, and conversation content across sessions, but does not give a prominent warning that this may capture sensitive personal, organizational, or credential-like data. In a memory skill, silent long-term capture materially increases privacy and compliance risk because users may not realize ordinary conversation text is being persistently stored and reused.

Missing User Warnings

High
Confidence
95% confidence
Finding
The README explicitly promotes autonomous agent payments and says 'No human approval needed,' which normalizes financial actions initiated by the agent without clear safety constraints. In an agent skill context, this is dangerous because it can lead to unauthorized or unintended spending, especially when combined with automated hooks and subscription flows.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README documents pruning and auto-deletion behavior for stored memories without prominently warning that retained user data may be irreversibly deleted. This can cause loss of important context, records, or user-provided information, particularly where users assume memory is durable or rely on it operationally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal