ClawHub

Smart Memory Plus

Security checks across malware telemetry and agentic risk

Overview

This is mostly a disclosed local memory tool, but it needs review because it persists conversation-derived data and has a health-check script that can execute crafted local /tmp cache filenames.

Install only if you want durable local agent memory. Review or fix the memory_health.sh /tmp filename handling before running health checks on a shared machine, use dry-run modes for decay, avoid restoring state from untrusted files, and periodically inspect or purge stored memories and indexes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares significant capabilities around environment access and persistent file reads/writes, but does not expose an explicit permissions model. That creates a trust and review gap: an agent may invoke a memory skill that can modify durable state, session files, indexes, and caches without clear upfront authorization boundaries. In a memory-management skill, hidden write capability is especially sensitive because it can persist prompt-injected or privacy-sensitive data across sessions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The description frames the skill as a local memory manager, but the documented behavior includes broader persistent-state operations: building searchable indexes, maintaining a SQLite graph database, querying that database with user-supplied SQL, scanning /tmp session caches, and managing snapshots. This mismatch can cause operators to underestimate the amount of data collected, retained, and exposed, which is dangerous for a memory skill handling potentially sensitive conversational data.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger language is broad enough that ordinary conversation phrases like "remember this," "what do you know about X," or "clean up memories" may invoke the skill unexpectedly. For a persistence-oriented skill, accidental activation can lead to over-collection, unwanted storage of user data, or modification of long-term memory artifacts without sufficiently clear intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase "archive old stuff" is broad, colloquial language that could easily appear in normal conversation and unintentionally activate archival behavior. In a memory-management skill, unintended invocation can cause unwanted cleanup or movement of memory files, which risks confusing state, accidental archival, or loss of immediately useful context even if it does not directly enable code execution.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script automatically appends extracted conversation-derived content into a persistent workspace memory file without any user-facing notice, confirmation, or consent in the write path. Although it attempts to filter obvious secrets, the extraction logic is heuristic and can still retain sensitive personal, project, or operational details, creating unintended long-term data persistence.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The clear command deletes the active state file and immediately reinitializes it without any confirmation, dry-run, or explicit data-loss warning. In a memory-management skill, that state may contain important task context, so accidental invocation, prompt-driven misuse, or agent error can irreversibly destroy active session information and degrade reliability or safety of subsequent actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The restore command overwrites the active session state with snapshot contents without prompting the caller or validating intent. Because this skill manages agent memory, restoring stale or attacker-influenced snapshots can erase current context, reintroduce outdated instructions, or cause the agent to act on incorrect remembered state.

Session Persistence

Medium
Category
Rogue Agent
Content
> ⚠️ **Conflict Warning**: This skill replaces both `smart-memory` and `context-compactor`.
> Do NOT install alongside either of those skills — they share the same files
> (`SESSION-STATE.md`, `memory/`, `MEMORY.md`) and will cause write conflicts.

## Requirements
Confidence
88% confidence
Finding
write conflicts. ## Requirements - **Runtime**: Python 3.10+ (standard library only), Bash 4.0+ (health/extract scripts only) - **OS**: Linux, macOS - **Environment variables** (all optional, with d

Session Persistence

Medium
Category
Rogue Agent
Content
| `MEMORY.md` | `memory_decay.py --promote-only` | Direct overwrite |
| `/tmp/openclaw-session-*.json` | `session_cache.py` | Direct write |

**Critical**: Never use the agent's file-write tool directly on memory files. Always pipe through scripts — they enforce sanitization, deduplication, and append-only behavior.

The agent MUST NOT write to:
- Any directory outside the workspace
Confidence
86% confidence
Finding
write tool directly on memory files. Always pipe through scripts — they enforce sanitization, deduplication, and append-only behavior. The agent MUST NOT write to: - Any directory outside the workspa

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal