ClawHub

MEMORY.md Manager - 长期记忆管理 (安全版)

Security checks across malware telemetry and agentic risk

Overview

This memory-management skill has a coherent purpose, but it can automatically retain and send session-log snippets that may include secrets without reliable local redaction.

Install only if you are comfortable with a recurring memory updater reading OpenClaw session logs and possibly sending selected snippets to your configured LLM provider. Leave provider API keys unset for local rule mode, review MEMORY.md for secrets, and avoid enabling the cron job unless you want ongoing retention.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
When `sensitive_detected` is true, the script only adds a warning line saying sensitive information was desensitized, but it still writes `title` and `detail` fields from the model output directly into `MEMORY.md`. Because the LLM receives raw session content and is not enforced to redact secrets, sensitive data may be persisted locally in plaintext despite the safety label, creating a misleading and dangerous false sense of sanitization.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that install.sh automatically creates a cron job and that MEMORY.md will be updated daily, but it does not prominently warn users that installation establishes a persistent scheduled task that will continue modifying files after setup. In a developer tooling context, undocumented persistence and automatic file modification can surprise users, reduce informed consent, and hide follow-on risk if the updater later changes behavior or processes sensitive content.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill states that it analyzes daily session history and may send requests to an external LLM provider, but it does not prominently and explicitly warn that conversation-derived content may leave the local machine. Because the content comes from session history and memory logs, this can expose sensitive user data, secrets, or private activity to third-party services, especially when users assume a local-only memory tool.

Natural-Language Policy Violations

Low
Confidence
93% confidence
Finding
The script hard-codes the cron timezone to Asia/Shanghai in the generated command text without detecting the user's environment or requiring an explicit timezone selection. This can cause jobs to run at an unexpected local time, which is a real but low-severity configuration/security issue because scheduled tasks may execute outside the user's intended maintenance window.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script sends filtered session log content from the user's workspace to an externally configured LLM endpoint, authenticated with an API key, without an explicit consent gate or clear disclosure at the point of transmission. In this context, the session logs may contain operational details, credentials, or other sensitive content, so silent exfiltration to a third-party or self-configured remote provider creates a real confidentiality risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal