ClawHub

Memory Engine

Security checks across malware telemetry and agentic risk

Overview

This memory skill is useful and mostly disclosed, but it asks for unusually broad backup, restore, and background authority that can move private memory and configuration data to GitHub and restore scheduled tasks.

Review this before installing. Use it only if you are comfortable with persistent local capture of selected session content and with a background cron/watcher process. Do not enable GitHub backup unless the repository is private and intentionally chosen, avoid tokens embedded in remote URLs, and inspect what git will commit. Treat restore as an administrative action: review any restored openclaw.json, installed skills, rule/personality files, and crontab before applying them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (29)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The changelog states the skill performs automatic backups to GitHub every 6 hours, which expands the trust boundary from local memory management to external data transmission. Because this skill handles conversation memory and user preferences, automatic remote backup can expose sensitive data or secrets if users are unaware, especially if repository visibility, authentication, or destination controls are weak or misconfigured.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
A local memory skill that also performs automatic GitHub backup/restore changes the trust boundary from local file management to external data transmission and remote recovery. That expands exposure significantly because conversation-derived memory, workspace metadata, and configuration can leave the machine, potentially without sufficiently prominent consent and security guidance.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Backing up and restoring all installed skills, OpenClaw config, personality files, and crontab is much broader than necessary for memory management and can be abused to preserve or reintroduce privileged behavior across reinstalls. In context, this makes the skill more dangerous because it does not just retain memories; it can replicate execution environment, policy, and persistence mechanisms.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script automatically stages, commits, and pushes the entire workspace to a remote GitHub repository, even though the skill is presented as local memory management. This creates a clear data exfiltration path for conversation history, notes, tokens, logs, or other files in the workspace, especially when run unattended via cron.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script copies openclaw.json from outside the workspace and exports the user's crontab into backup files inside the workspace, expanding collection beyond memory-management data. Those files can contain secrets, task schedules, paths, and operational details that are unrelated to the stated purpose and may later be committed and pushed remotely.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script includes an automatic GitHub backup path that is outside the core local maintenance responsibilities described for this cron job. Even though it is gated on a configured git remote and local .git presence, adding unattended exfiltration-capable sync behavior to a background maintenance script increases the risk of sensitive memory data being pushed off-host without explicit per-run user approval or clear separation of duties.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script reads and rewrites the user's crontab to change a scheduled task frequency, which is a host-level persistence/configuration action outside a narrow file-local memory management function. Even though it targets an existing `memory-cron.sh` entry rather than installing an obviously malicious job, modifying system scheduler state increases blast radius and can surprise users or be abused if the script is run with elevated trust.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The restore script performs actions beyond memory recovery by overwriting OpenClaw configuration and restoring scheduled tasks from repository content. Because both files come from the supplied Git repository, a compromised or untrusted backup can silently alter runtime behavior and persistence, which is more dangerous than the skill's stated memory-management purpose implies.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script installs arbitrary crontab entries directly from a backup repository, giving that repository control over future code execution under the current user. In a memory-engine skill, this capability is especially risky because scheduled execution is unrelated to simply restoring memories and creates a persistence mechanism an attacker could abuse.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script is presented as a read-only recovery summarizer, but it also performs state-changing actions: scanning reset sessions, invoking extraction, updating tracking metadata, and triggering reindexing. This is dangerous because a caller expecting a harmless summary can unintentionally cause data ingestion and persistent workspace changes, violating least surprise and increasing the blast radius of a simple resume operation.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script reads from a global session directory under the user's home folder rather than limiting itself to the provided workspace. That broadens access beyond the declared scope of workspace recovery and can pull in unrelated session data, creating privacy and data-boundary violations if multiple projects or contexts share the same OpenClaw installation.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The recovery flow launches subprocesses to perform extraction and indexing during what appears to be a summary operation. Even though the script paths are local and quoted, subprocess execution increases attack surface, can amplify unsafe behavior in downstream scripts, and makes the resume command capable of side effects far beyond formatting output.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Automatic backups to GitHub are a privacy and security risk because memory files may contain sensitive conversation history, credentials, personal data, or operational details. The absence of a clear user-facing warning or consent flow means data could be transmitted off-device without informed approval, increasing the likelihood of unintentional disclosure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly advertises automated session extraction, integrity monitoring, and auto-restoration of MEMORY.md, which implies persistent capture and recovery of prior conversational content. Without a clear privacy/data-retention warning, users may enable the skill without understanding that potentially sensitive prompts, personal data, or secrets could be stored locally and later resurfaced, increasing confidentiality and compliance risk.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger phrases are broad enough to match ordinary conversation, which can cause the skill to activate unexpectedly and perform writes, searches, or maintenance actions when the user did not intend that. In a skill that persists data and can modify local state, overbroad activation increases accidental collection and unintended execution risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The backup instructions place repository credentials directly in the remote URL, which risks leaking tokens through shell history, process listings, logs, configuration files, screenshots, and copied commands. Because the skill also encourages automated backup, the credential exposure risk is practical rather than theoretical.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script persists transcript-derived content into durable memory files without any consent gate, notice, or filtering for sensitive data. Because it processes user messages, tool outputs, and assistant summaries, it can silently retain secrets, personal data, operational details, or instructions beyond the original session, increasing privacy and data-retention risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Sensitive configuration and crontab contents are written into the workspace with only generic backup comments and no meaningful disclosure or consent. Because the same script later does git add -A, these newly created files are likely to be versioned and potentially uploaded, increasing confidentiality risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The automatic git push sends whatever is in the workspace to origin/main without clearly informing the user what categories of data may be uploaded. In a memory skill context, the workspace may contain conversation-derived memory, backups, and other sensitive artifacts, so undisclosed transmission materially increases privacy and security risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script asks for confirmation before overwriting MEMORY.md but does not ask before replacing the user's crontab, which can change scheduled behavior and establish persistence immediately. This lack of confirmation increases the chance of accidental or unnoticed installation of harmful tasks from a backup source.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Session files are automatically processed and tracking state is written without clear prior notice or affirmative consent. In a memory-management skill, silent ingestion of reset-session content is sensitive because those files may contain private conversational data that the user did not intend to persist or reindex during a simple recovery summary.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script automatically scans for reset markers and immediately runs memory extraction and reindexing on session artifacts without any consent gate, operator acknowledgement, or visible user-facing notice. In a memory-management skill, this increases privacy and data-retention risk because potentially sensitive conversation content can be captured persistently at reset time when a user may expect the session to be ending or cleared.

Ssd 3

Medium
Confidence
88% confidence
Finding
The skill explicitly instructs persistent capture of conversation-derived data into memory files, including key events and summaries. Even if intended for helpful continuity, durable storage of user interactions creates privacy and data-minimization risks, especially when retention scope and consent boundaries are not clearly limited.

Ssd 3

Medium
Confidence
90% confidence
Finding
The memory-flush prompt directs the agent to durably store decisions, outcomes, preferences, and status changes derived from the conversation. This is sensitive because preferences and project status may contain personal or confidential business information, and the automatic nature of pre-compaction flushing reduces user awareness and control.

Ssd 3

Medium
Confidence
91% confidence
Finding
Persistently storing user profile information in USER.md creates a profile of preferences and behavior that may outlive the original interaction and be combined with other stored memory. In the broader context of backup, restore, and transcript extraction, this becomes more sensitive because profile data may also be propagated to remote repositories or restored across environments.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal