ClawHub
Back to skill

Security audit

泉水复活

Security checks across malware telemetry and agentic risk

Overview

This memory backup skill has a coherent purpose, but it handles sensitive personal memory files with broad persistent backup/cloud sync and an unsafe restore path that could overwrite files outside the intended workspace.

Install only if you intentionally want QClaw memory, diary, identity, user-profile, and workspace-rule files copied into hidden local backups and a cloud-synced folder. Configure the cloud path before use, avoid backing up secrets unless you control and trust the storage, and restore only snapshots you personally created until ZIP path validation and stronger overwrite protections are added.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill describes shell execution and file-writing behavior, including backup, restore, and sync operations, but does not declare corresponding permissions. This creates a capability-transparency gap: users or hosting systems may not understand that the skill can modify local files and invoke scripts, which increases the risk of unauthorized filesystem changes or unsafe execution paths.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The restore logic joins archive entry names directly with `WORKSPACE` and writes them without validating that the resolved destination stays inside the workspace. A malicious ZIP containing entries like `../../AppData/...` or absolute paths could overwrite arbitrary files accessible to the user, which is especially dangerous because this tool restores both local and cloud-synced snapshots.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly states that memory, diary, and user information can be automatically synchronized to a cloud directory, but it does not warn users that these files may contain sensitive personal data. In this skill context, the data being backed up includes long-term memory, user profiles, and diaries, so silent or under-warned cloud sync increases the risk of unintended disclosure through misconfigured cloud storage, shared machines, or third-party sync providers.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises one-click restore and disaster recovery workflows but does not clearly warn that restoring a snapshot can overwrite the current workspace state and erase newer data. In a memory-management skill, restore operations directly affect persistent user and agent state, so an uninformed restore can cause destructive data loss or rollback of important records.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger set includes broad natural phrases such as '检查记忆' and related memory terms that could plausibly occur in ordinary conversation. That increases the chance of accidental activation of backup or restore-related workflows, especially in a skill that handles sensitive memory files and can lead users into destructive operations.

Missing User Warnings

High
Confidence
96% confidence
Finding
The restore workflow is documented as a one-click operation and snapshot selection flow without warning that restoration may overwrite current memory, diaries, or user data. In a memory-management context, omission of overwrite and rollback warnings materially increases the risk of irreversible data loss, corruption, or reversion to stale state.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises cloud synchronization of memory files to Baidu Netdisk without a privacy notice or explicit consent warning. Because the documented data includes user information, diaries, and long-term memory, transmitting it to a remote service can expose sensitive personal content, create compliance issues, and broaden the attack surface.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The non-interactive restore paths restore latest or a specified snapshot directly into the workspace without a confirmation prompt or safety checks. This can overwrite current files and silently roll back user state, which is especially risky in a memory-preservation skill where the protected data is the user's persistent context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The full backup flow automatically syncs collected workspace memory files to a hardcoded cloud-synchronized directory without explicit consent at runtime. Because these files likely contain sensitive conversational memory and identity data, this behavior can cause unintended exfiltration to third-party cloud storage or shared desktop sync locations.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill explicitly promotes persistent backup and cloud synchronization of conversation-derived memory, including highly sensitive content, as a core behavior. Long-term retention and replication of user memory increases exposure in the event of local compromise, cloud compromise, accidental sharing, or unintended recovery of old sensitive material.

Ssd 3

Medium
Confidence
95% confidence
Finding
The documented inventory prioritizes backup of sensitive files such as USER.md and diary content, making persistent storage of personal data an intentional feature. This increases the consequences of unauthorized access or mistaken restore/sync operations because the most privacy-sensitive artifacts are preserved and replicated by default.

Ssd 3

Medium
Confidence
93% confidence
Finding
The behavior rules instruct automatic backup after diary writes, daily integrity checks, and user-triggered backup flows, reinforcing continuous retention of sensitive memory data. In context, this is more dangerous than a generic storage feature because it normalizes repeated collection and persistence of personal conversational artifacts without prominently describing consent, retention limits, or privacy safeguards.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal