ClawHub

Openclaw Memory Qdrant

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed semantic memory plugin; it retains and recalls conversation memories, but the sensitive behavior is largely purpose-aligned and configurable.

Install only if you want long-term agent memory. For sensitive or shared environments, leave autoCapture and allowPIICapture off, set persistToDisk to false if you want volatile memory, and do not configure qdrantUrl unless the server is trusted. Expect a first-run model download from Hugging Face.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill description emphasizes being 'fully local' and 'zero configuration', but the documented behavior includes persistence to disk by default, optional connection to an external Qdrant server, automatic capture of conversation content, and automatic recall/injection of memories into future prompts. This is a real security/privacy transparency issue because users may enable or install the skill expecting only ephemeral local processing, while the actual behavior expands data retention, prompt-surface exposure, and possible network transmission.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README gives contradictory statements about whether memory-mode data persists only for the process lifetime or is saved to disk by default. This can mislead operators into believing sensitive conversation memory is ephemeral when it may actually be retained on disk, creating unexpected privacy and data-retention exposure.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill advertises fully local memory, but the implementation can connect to a remote Qdrant instance and the embedding model is downloaded on first use. This creates a trust-boundary mismatch: users may provide sensitive conversation data assuming it never leaves the machine, while memory contents and queries can be transmitted over the network.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The code labels embeddings as local, but `pipeline('feature-extraction', 'Xenova/all-MiniLM-L6-v2')` may download model artifacts on first run. That can leak metadata such as IP/use context and violates user expectations about offline-only operation, especially in a memory plugin handling conversation content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
When auto-capture is enabled, the plugin extracts user messages and stores them, potentially to disk, without any built-in user-facing consent or notice flow. Because this is a long-term memory component, silently retaining conversational content increases privacy risk and can capture sensitive data users did not intend to persist.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
In remote Qdrant mode, stored text, metadata, and search queries are sent to the configured server, but the plugin provides no explicit user warning at the point of use. In a semantic memory system, this can expose highly sensitive conversation-derived content to another host or service contrary to user expectations.

Ssd 3

Medium
Confidence
91% confidence
Finding
The plugin automatically stores user-provided text and later returns it in search/recall results in plain language, which can surface prior sensitive content to the model, operator, logs, or UI. The context makes this more dangerous because the skill is specifically designed to retain conversational memory, so accidental persistence and resurfacing are central behaviors rather than edge cases.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal