ClawHub

OpenClaw Memory OS

Security checks across malware telemetry and agentic risk

Overview

This local memory skill is purpose-aligned, but it needs review because its privacy safeguards and release provenance are documented inconsistently while it can persist conversations and files.

Install only after verifying the exact npm package and matching source commit. Keep AUTO-TRIGGER disabled until you test the installed behavior, prefer manual save commands, collect only specific non-sensitive folders, and treat ~/.memory-os as readable plaintext unless you add your own encryption and file permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document makes strong security claims for v0.3.0 such as confirmation prompts, integrated privacy filtering, and enforced path protection, but later sections describe those same controls as missing or only planned. In a security-sensitive memory capture tool, contradictory documentation can cause users or agents to enable collection under false assumptions, leading to unintended storage of sensitive data in plaintext.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The audit guidance tells users to review a privacy-filter source file and even states it 'exists but not integrated,' which directly conflicts with earlier claims that filtering is implemented and enabled by default. This inconsistency undermines trust in the documented safeguards and increases the chance that sensitive content will be collected without redaction.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
AUTO-TRIGGER is described in one place as always prompting before save in v0.3.0, while another section says it saves immediately with no prompt. For a tool that can ingest conversational and filesystem data, ambiguity about consent behavior is dangerous because users may enable automation believing a human-approval gate exists when it may not.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The Chinese section repeats the same contradictions as the English section, claiming implemented protections while also warning that saves may occur without prompts and without integrated filtering. Duplicating inconsistent security guidance across languages broadens the risk surface and can mislead a larger user base into unsafe deployment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation presents direct deletion commands, including recursive removal of the entire data directory, without any explicit warning that the action is irreversible. In an agent-skill context, users may copy-paste commands mechanically, so this increases the risk of accidental local data destruction.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes common conversational phrases such as 'remember' and 'keep in mind,' which are likely to appear in normal dialogue. In a memory-recording skill, broad triggers can cause accidental activation and storage of sensitive conversational context, especially if agents process user messages autonomously.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The documentation states that collection activates on keyword detection but does not define precise constraints such as required speaker, command boundaries, quoting behavior, or exclusions. Vague invocation rules increase the likelihood of unintended collection and make safe integration with agents difficult.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The usage examples repeat broad trigger phrases but do not show exclusion cases or clarify when those phrases should be treated as ordinary speech. This makes invocation scope ambiguous and raises the chance that benign conversation will be persisted as memory.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal