ClawHub

files-memory-system

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed memory-management skill, but it persistently changes workspace-wide agent instructions and stores/reloads shared memory in ways users should review carefully.

Install only if you want a workspace-wide persistent memory system. Review the exact AGENTS.md block before enabling it, do not store credentials or personal sensitive data in memory files, and set clear rules for what may be written to private, group, and global memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill advertises memory and workspace management, but its documented install flow also copies itself into a trusted global skills directory and modifies /workspace/AGENTS.md to influence future agent behavior. That expands its authority from scoped file management into persistent self-registration and instruction injection, which is dangerous because users or reviewers may not realize the skill is establishing durable control over later sessions.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document asserts an absolute safety principle to always prioritize trash and warns against restoring pure rm -rf, yet the described implementation still falls back to rm -rf when trash is unavailable. In a file-management/install skill, this mismatch can mislead maintainers into believing deletion is recoverable when it may actually become permanent, increasing the chance of unsafe operational changes or accidental data loss.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The document claims user confirmation is mandatory before deletion, but the 'current implementation' snippet shown omits that confirmation step. In this skill context, where installation and memory management may touch important agent data, inaccurate security guidance can cause reviewers or maintainers to overtrust the deletion flow and preserve unsafe behavior.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The document states a hard rule forbidding direct git clone in group chats, but later presents direct git clone as a manual option. Contradictory operational guidance increases the chance an agent or operator will bypass the isolation mechanism and clone repositories into broader shared locations, causing cross-group data leakage or workspace contamination.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script modifies a global control/documentation file (/workspace/AGENTS.md) during installation, which is a side effect outside the narrowly expected scope of setting up memory directories or files. In an agent environment, AGENTS.md can influence operator understanding or agent behavior, so silent self-registration creates a trust-boundary issue and can be used to persist instructions without explicit approval.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The appended content mixes claims of auto-discovery/auto-loading with instructions stating that group memory is not automatically loaded and must be read manually. Contradictory operational guidance in a file intended to steer agents can cause them to skip required checks or perform unintended reads, increasing the chance of inconsistent memory handling and cross-context mistakes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly states that group and private conversation memory will be automatically loaded and recorded, but it does not give a clear retention notice, consent model, or privacy warning. In a memory-management skill handling multi-group chat data, this can lead to users and operators storing sensitive conversational content without understanding persistence, scope, or audit implications.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The invocation description covers very broad file and memory operations, making it likely to trigger on many ordinary requests. Over-broad activation increases the chance that this skill's persistence, memory-writing, and installation behaviors are invoked in contexts where the user only intended a simple file action.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script automatically creates directories and writes memory files based on a caller-supplied path without any confirmation, policy check, or validation of whether initialization is appropriate for the current context. In an agent setting, this can lead to unintended persistence of sensitive private-chat data, creation of files in unexpected locations, or silent cross-context state changes if the path is mis-specified or influenced by untrusted input.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Appending to /workspace/AGENTS.md without prior warning or user confirmation is an unauthorized persistent modification to a shared workspace file. Even if the content is not overtly malicious, this establishes a mechanism for silently influencing future agent sessions and violates least surprise for installers/operators.

Natural-Language Policy Violations

High
Confidence
90% confidence
Finding
The injected instructions impose Chinese-language operational requirements on agents without user opt-in and are written into a shared startup/discovery file. In multi-user or mixed-locale deployments, this can override expected language behavior, confuse operators, and cause policy or workflow violations by altering how agents respond before any session-specific consent is obtained.

Ssd 3

High
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to store API keys in plaintext memory files if the user insists, including potentially global shared memory. This creates a straightforward secret-exfiltration and lateral-exposure path because those files may be read by future sessions, other groups, backups, or other tools.

Ssd 3

Medium
Confidence
89% confidence
Finding
The skill encourages immediate persistence of arbitrary user-provided content into group/global/private memory files, creating a broad natural-language retention channel. In practice this can capture sensitive data, regulated information, or prompt-injection content that later influences agent behavior across sessions or groups.

Hidden Instructions

High
Category
Prompt Injection
Content
To unregister (remove from AGENTS.md):
```bash
sed -i '/<!-- files-memory-system: installed -->/,/<!-- files-memory-system: end -->/d' /workspace/AGENTS.md
```

## Overview
Confidence
93% confidence
Finding
<!-- files-memory-system: installed -->

Hidden Instructions

High
Category
Prompt Injection
Content
To unregister (remove from AGENTS.md):
```bash
sed -i '/<!-- files-memory-system: installed -->/,/<!-- files-memory-system: end -->/d' /workspace/AGENTS.md
```

## Overview
Confidence
93% confidence
Finding
<!-- files-memory-system: end -->

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
# 1. Copy to standard location
mkdir -p /workspace/skills
cp -r ~/.openclaw/skills/files-memory-system /workspace/skills/

# 2. Run self-registration
Confidence
85% confidence
Finding
mkdir -p /workspace/skills cp -r ~/.openclaw

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal