ClawHub

Episodic Memory

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real long-term memory plugin, but it needs Review because it persists and sends chat history to third-party AI services and the artifacts explicitly use scanner-evasion patterns around sensitive APIs.

Install only if you are comfortable with this plugin storing conversation history long-term, importing existing session files, downloading/running a Go sidecar, and sending conversation-derived text to Gemini and possibly OpenRouter. Avoid using it with secrets, regulated data, or confidential code unless you have reviewed the storage location, retention behavior, API-key scope, and provider privacy terms. The scanner-evasion comments should be resolved before treating this as low risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (37)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The changelog explicitly says env var access was rewritten using string concatenation and dynamic property access to break a static scanner's credential-harvesting pattern match while preserving the same runtime behavior. Deliberately disguising credential reads near network transmission defeats security review and materially increases the chance that real exfiltration or unsafe handling of secrets will bypass automated controls.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
Claiming 'No runtime behavior changes' immediately after documenting scanner-evasion changes is misleading because the effective behavior of reading credentials and sending them to external providers remains intact while visibility to security tooling is reduced. This combination signals intentional concealment of sensitive flows, which weakens trust and can allow unsafe secret-handling patterns to ship unnoticed.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The README presents the plugin as storing conversations locally, but elsewhere states that message content is sent to Gemini for embedding generation. This mismatch can mislead users into believing their data never leaves the machine, undermining informed consent and causing unintentional disclosure of sensitive chat content to a third-party provider.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The comments explicitly state that environment-variable access was intentionally obfuscated to bypass security scanning. Deliberately defeating scanner visibility is dangerous because it conceals potentially sensitive data access and undermines review controls, especially in code that may later be combined with network transmission logic.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The comment suggests only structural bridge text is embedded after compaction, but the implementation also injects clipped raw snippets from evicted messages into the rewritten session. If evicted content contains secrets, sensitive prompts, or attacker-controlled text, compaction can unintentionally preserve and re-surface that data in active context, undermining the expected data minimization boundary.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The comments explicitly state the code was obfuscated to bypass a security scanner that detects environment-variable access near network transmission, which is a strong indicator of deliberate evasion rather than a benign helper. Even though this file only wraps env access, the concealment pattern makes the surrounding skill context more dangerous because it is designed to hide potentially sensitive secret access from reviewers and automated defenses.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The method is documented as a deprecated no-op compatibility shim, but it still forwards the supplied apiKey over RPC to the sidecar. Misleading comments around sensitive flows are dangerous because callers may assume the key is ignored and pass secrets unnecessarily, causing unintended disclosure to another process and making review/auditing harder.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code accesses a GEMINI_API_KEY from both the process environment and hard-coded local configuration files without any visible user consent, scope restriction, or clear justification in the skill context. This creates unnecessary credential exposure risk because the skill can silently harvest or reuse secrets from developer workstations and then make them available to downstream code via process.env.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code writes the recovered API key into process.env, which mutates global process state and broadens exposure to any subsequently loaded module, including require('./test_sleep_consolidation'). In a skill context, this is risky because unrelated or less-trusted code can now access the secret without an explicit data flow or permission boundary.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly says conversations are stored locally long-term and later injected back into prompts, but it does not clearly warn users about retention scope, sensitivity of stored content, or how to disable/purge it. In a memory plugin, that omission is security-relevant because users may unknowingly persist secrets, personal data, or regulated information far beyond the immediate session.

Missing User Warnings

High
Confidence
97% confidence
Finding
The README states that the Go sidecar uses the configured GEMINI_API_KEY automatically for embeddings, which implies conversation-derived text may be sent to Google's embedding service, but it does not clearly disclose this data egress to a third party. That is a significant privacy and compliance risk because users may assume the plugin is purely local while their content is actually transmitted externally.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README states that conversations are saved locally and that text is sent to the Gemini API for embeddings, but it does not present this as a prominent privacy notice with clear consent, scope, retention, or data-handling implications. In a memory plugin, this is security-relevant because users may unknowingly persist sensitive chats and transmit private content to a third-party provider.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The installation troubleshooting instructions tell users to edit the OpenClaw config and run automated repair commands, which can change global application state and remove plugin entries. Without a strong warning, backup guidance, scope explanation, and validation steps, users may unintentionally alter unrelated configuration or break other components.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README says all conversations are silently stored locally and later re-injected into prompts, but it does not provide a clear warning about retention, sensitivity, or how recalled content may resurface in future interactions. Silent persistence and reuse of user conversations can expose private or regulated data unexpectedly, especially on shared systems or when users do not realize memory is durable.

Missing User Warnings

High
Confidence
98% confidence
Finding
The workflow states that user content is vectorized via the Gemini API and that the plugin automatically reads the configured GEMINI_API_KEY, but it does not clearly warn that message content is sent to an external service. This is dangerous because users may unknowingly transmit confidential prompts, credentials, source code, or personal data to a third-party processor.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This client sends both `systemPrompt` and `userMessage` to the third-party OpenRouter API, which can expose sensitive user data, secrets, or internal instructions outside the local trust boundary. Even though this appears to be intended functionality for an LLM client, the file contains no consent, minimization, redaction, or policy enforcement before transmission, so privacy and data-handling risks are real if callers pass sensitive content.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The cold-start ingestion flow writes markdown files into the agent workspace and temporary files under the OS temp directory automatically, with no visible confirmation or consent gate in this code path. If triggered unexpectedly, it can persist potentially sensitive session content to disk, expanding data exposure and leaving recoverable artifacts even when the user did not explicitly approve storage.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code persistently writes full conversation messages to local write-ahead log files in the agent workspace via walAppend/restore/rotate logic. Even if intended for durability and recovery, storing raw chat content on disk without any visible consent, minimization, encryption, retention control, or access restriction in this file increases exposure of sensitive user data to local compromise, backup leakage, or unintended multi-tenant workspace access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The saveRawLog function writes the entire raw conversation transcript to a timestamped markdown file in the workspace. This creates a durable plaintext copy of potentially sensitive prompts, tool outputs, secrets, or personal data, expanding the attack surface beyond transient memory and making accidental disclosure or post-compromise data harvesting easier.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This helper enables arbitrary reads from process environment variables by caller-supplied key, which can expose secrets such as API tokens, credentials, and service keys without any restriction or disclosure. In this skill context, the surrounding comments about evading scanner detection materially increase risk because they suggest the helper may be used to conceal sensitive secret handling from review.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The plugin automatically discovers and ingests historical session files on startup, which can pull prior conversation content into long-term episodic storage without an explicit consent check or in-flow disclosure in this code path. In a memory plugin, this increases privacy risk because sensitive legacy chats may be retained, reprocessed, and later surfaced through recall tools or prompt injection mechanisms beyond the user's immediate expectation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The worker sends raw conversationText to an external LLM provider for processing, and this file shows no minimization, redaction, or consent gating before transmission. Because conversation logs can contain secrets, personal data, or proprietary material, exfiltration to a third-party model service can violate privacy and data-handling expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This path transmits raw conversation logs to Google's Gemini API, again without any visible disclosure, consent check, or pre-send sanitization in the file. In this context the data being processed is conversational history, which is especially likely to include credentials, internal paths, incidents, and personal information, making third-party disclosure materially risky.

Natural-Language Policy Violations

Low
Confidence
92% confidence
Finding
The debug path logs previews of recent user messages, the latest user message, and per-message keyword extraction results to console when the debug flag is enabled. Even though this is gated behind an environment variable and previews are truncated, it still exposes potentially sensitive user content and derived semantic data to logs, which are often retained, forwarded, or accessible to operators without explicit user consent.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The zero-API fallback persists conversation/session content directly into markdown files under the workspace without any consent gate, warning, or retention control nearby. In a memory/session-processing skill, this materially increases privacy risk because sensitive chat history may be written to disk in a user-visible corpus and later indexed, synced, or exposed through other tooling.

VirusTotal

49/49 vendors flagged this plugin as clean.

View on VirusTotal