ClawHub

Memory Auto Archive

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it automatically scans chat transcripts and can persist sensitive conversation snippets into memory files with weak privacy controls.

Install only if you are comfortable with automatic scanning of local OpenClaw session transcripts and creation of persistent memory files. Before use, narrow the keyword list, remove password/token/secret-style terms, keep refinement disabled unless you understand where the configured model sends data, and review or delete generated memory files regularly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (25)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The configuration explicitly instructs the refinement feature to extract and persist 'passwords' and 'tokens' into long-term memory data. Even though refinement is disabled by default, documenting and encouraging collection of secrets creates a clear pathway for credential retention in logs or MEMORY.md, which can later be exposed, reused, or leaked.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README presents a narrower data collection behavior than the documented workflow implies, creating a misleading privacy boundary for users. If users believe only keyword-matching messages are archived but the plugin processes or logs all prior-day transcripts before filtering/highlighting, they may unknowingly expose more conversation content than expected.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The keyword list is extremely broad and includes common terms such as 'task', 'remember', 'important', 'issue', 'config', 'password', and 'token', making routine conversation likely to trigger capture. In a memory/archive plugin, this increases the chance that unrelated or sensitive discussions are logged and retained without meaningful user intent or minimization.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation describes an AI refinement flow that may extract and persist sensitive data, including passwords and tokens, but does not present a strong warning or prohibition. Because this is a configuration guide, users may enable the feature without understanding that it can store credentials in durable memory artifacts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises automatic transcript scanning and archive generation on startup without a prominent privacy warning or explicit consent model. Because the plugin operates on conversation histories by default, users may enable it without understanding that private chats, credentials, or sensitive business discussions could be copied into persistent local files.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The optional AI refinement feature shows a model identifier that appears cloud-backed, but the README does not clearly warn that archived conversation content may be transmitted to an external model provider. This can result in unintentional exfiltration of sensitive chats, secrets, or personal data under the guise of a local privacy-focused plugin.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises automatic scanning of all agent transcript files, archival of matched content, and optional MEMORY.md updates, but it does not prominently warn users that potentially sensitive conversation data will be processed and stored. In an agent plugin context, this can lead to unintentional retention of secrets, personal data, or internal project information because users may enable it without understanding the privacy implications.

Missing User Warnings

High
Confidence
97% confidence
Finding
The AI refinement feature describes sending archived content to a model and auto-updating MEMORY.md, but it does not explicitly warn that transcript-derived data may be transmitted to an external provider. Because the example prompt includes extracting important data and user preferences, users could unknowingly exfiltrate sensitive workspace or personal information to a third party.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly states it will archive prior chat transcripts on startup and prepare prompts for MEMORY.md updates, but it does not clearly warn users that potentially sensitive conversation content will be copied into persistent files. In an agent environment, silent persistence of chat data increases privacy and data-governance risk because users may not realize logs and extracted highlights are being retained beyond the original session.

Missing User Warnings

High
Confidence
98% confidence
Finding
The AI refinement feature describes sending archived content to a named external model but does not clearly warn that user/chat data may leave the local environment and be processed by a third-party provider. This is dangerous because transcripts may include credentials, project details, personal data, or internal discussions, and users could enable the feature without informed consent about external disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code launches powershell.exe with -ExecutionPolicy Bypass, explicitly weakening a host safety control and allowing the referenced script to run regardless of local execution-policy restrictions. In an agent skill context, this is more dangerous because the skill runs code automatically against workspace data and the true behavior is hidden in an external script, so a malicious or modified archive.ps1 could execute with fewer guardrails.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The configured trigger keywords are broad, common terms such as "important", "task", "remember", and "fix", including multilingual variants. In a memory archiving plugin, this can cause routine conversation or unrelated user content to be captured and persisted unintentionally, increasing the risk of privacy leakage, over-collection, and storage of sensitive data without clear user intent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The demo explicitly normalizes automatic transcript scanning, highlight extraction, and writing daily memory logs without any visible consent, notice, retention limit, or redaction of sensitive content. Even though this file is only a screenshot/demo, it promotes a privacy-invasive behavior pattern that could lead users to deploy or trust a feature that persistently stores conversation data, including sensitive terms.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code reads conversation transcripts from session files, extracts message text, and persists summaries/snippets into archive files under the workspace without any consent, notice, minimization, or sensitivity filtering. Because transcripts may contain secrets, personal data, or proprietary content, creating durable secondary storage increases exposure, retention, and accidental disclosure risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes summarized conversation content and highlighted snippets into persistent workspace files without any user consent, notice, or opt-in. Because the keyword list explicitly includes terms such as API, token, password, key, and secret, the archive can inadvertently preserve sensitive content in a new location, increasing exposure and retention risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code recursively scans agent session transcript files and parses user and assistant messages without any privacy notice or scope restriction beyond the workspace path. In an agent-skill context, transcripts commonly contain prompts, operational details, and secrets, so silent bulk inspection of those files creates a meaningful confidentiality risk even if the purpose is archival.

Ssd 3

Medium
Confidence
89% confidence
Finding
The documentation promotes automatic archiving of user conversations into local logs and memory files, including examples involving sensitive terms like tokens, passwords, and secrets. Even if intended as a productivity feature, routinely persisting such content increases the attack surface by creating concentrated plaintext records that may be accessed by other local processes, users, backups, or future plugins.

Ssd 3

Medium
Confidence
93% confidence
Finding
The README instructs the plugin to scan all session transcript files and optionally update long-term memory from them, which can aggregate sensitive user data across agents into durable knowledge files. In this context, the risk is elevated because the feature is automatic, cross-session, and potentially cross-agent, making accidental over-collection and persistence more likely.

Ssd 3

Medium
Confidence
94% confidence
Finding
The sample refinement prompt explicitly asks the model to extract and retain 'user preferences' and 'important data,' encouraging long-term storage of potentially sensitive personal and operational information. In this skill's context, that makes the plugin more dangerous because it combines transcript scanning, persistence, and optional third-party AI processing into a memory-building pipeline.

Ssd 3

Medium
Confidence
92% confidence
Finding
The suggested refinement prompt asks the AI to extract and retain long-term memories including user preferences, important data, project milestones, and similar content in MEMORY.md. That materially increases the chance that sensitive or unnecessary personal/project information will be accumulated in a durable memory store, expanding exposure if the workspace is shared, synced, or later compromised.

Ssd 3

Medium
Confidence
88% confidence
Finding
The demo depicts persistent retention and summarization of prior conversations into files such as memory/YYYY-MM-DD.md and logs, including highlighted user content and keywords like 'password'. In a skill/plugin context, that increases the likelihood of accidental collection, retention, and later exposure of sensitive data through local files, backups, logs, or other plugins.

Ssd 3

High
Confidence
99% confidence
Finding
The refinement prompt explicitly instructs the model to extract and retain highly sensitive secrets such as passwords and tokens from daily work logs into long-term memory. In an agent memory plugin, this increases the chance of persistent secret storage, later leakage through prompts, logs, backups, or downstream tools, turning incidental exposure into durable compromise.

Ssd 3

Medium
Confidence
93% confidence
Finding
The archiver semantically republishes message content into a durable summary file and selectively highlights messages matching sensitive terms, including password, token, key, and secret. This can amplify risk by concentrating otherwise dispersed sensitive content into an easy-to-read artifact in the workspace, where it may be accessed, synced, backed up, or exposed to other tools.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"openclaw": ">=0.5.0"
  },
  "dependencies": {
    "openclaw": "^0.5.0"
  },
  "devDependencies": {
    "@types/node": "^20",
Confidence
91% confidence
Finding
"openclaw": "^0.5.0"

Known Vulnerable Dependency: openclaw==0.5.0 — 10 advisory(ies): CVE-2026-32064 (OpenClaw's andbox browser noVNC observer lacked VNC authentication); CVE-2026-32006 (OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallbac); CVE-2026-41913 (OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret r) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
openclaw==0.5.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal