Is clawcolab/clawbrain safe?
https://github.com/openclaw/skills/tree/main/skills/clawcolab/clawbrain
ClawBrain is a persistent memory skill that installs JavaScript startup hooks and injects accumulated conversation context — including memories, personality guidance, and suggested responses — into the agent bootstrap on every service restart. The critical hook code (handler.js) was absent from the scanned files and could not be audited, representing a material coverage gap. The skill's core design creates a persistent prompt injection channel: user conversation can write content into the memory database, and that content is automatically re-injected into the agent's active context on startup, surviving session resets. No direct exfiltration to external parties was observed during the install scan, and all canary honeypots remained intact.
Category Scores
Findings (11)
HIGH Persistent Memory-to-Agent Context Injection Channel -20 ▶
The startup hook calls Brain.refresh_on_startup() and, per the SKILL.md spec, 'injects context into agent bootstrap'. The injected context bundle includes memories, personality guidance, and suggested_responses. Because user conversation can write arbitrary content into the memory store (via brain.remember()), any user or third party who can influence stored memories can inject persistent instructions that survive service restarts and session resets — a classic second-order prompt injection pattern.
HIGH Startup Hook Code Not Audited -20 ▶
The file hooks/clawbrain-startup/handler.js is described as ~50 lines of JavaScript that executes on every gateway:startup and command:new event. This file was absent from the scanned directory contents. The code that actually performs the Brain.refresh_on_startup() call and the context injection into the agent bootstrap was not reviewed. This is the highest-risk file in the skill and its absence from the audit constitutes a critical coverage gap.
MEDIUM pip install Executes Unscanned Package Code -15 ▶
The installation path pip install clawbrain[all] downloads and executes the clawbrain PyPI package. The package's setup.py / pyproject.toml build hooks, postinstall scripts, and all Python module code were not scanned in this audit. Only the ClawHub skill metadata was reviewed.
MEDIUM Comprehensive Persistent User Data Accumulation -15 ▶
The skill stores all conversations, user moods, intents, preferences, interests, and personality insights in a persistent database that is never automatically purged. The Brain API provides recall(), get_user_profile(), detect_user_mood(), detect_user_intent() — a complete behavioral surveillance API over the user's interaction history. This data persists across /new resets.
MEDIUM Encrypted Credential Storage with Locally Accessible Key -10 ▶
The skill stores API keys and arbitrary secrets under memory_type='secret' using Fernet symmetric encryption. The encryption key lives at ~/.config/clawbrain/.brain_key. Any process with read access to both the database and the key file can decrypt all stored credentials. The CLI exposes clawbrain show-key --full which prints the full key in plaintext. This creates a consolidated credential theft target.
MEDIUM Persistent Personality Override via generate_personality_prompt() -10 ▶
The hook re-injects a generated personality prompt on every startup. The 6 evolving soul traits (humor, empathy, curiosity, creativity, helpfulness, honesty) modify the agent's effective persona persistently across sessions. An attacker who can write to the souls table or influence trait evolution through crafted conversation can gradually shift the agent's personality away from its configured baseline.
MEDIUM suggested_responses Field Steers Agent Behavior -10 ▶
get_full_context() returns a suggested_responses list that is part of the injected bootstrap context. This field provides pre-computed response suggestions derived from stored memories. When injected into the agent's active context, these suggestions can bias the agent toward specific answers without any explicit per-session instruction from the user or operator.
MEDIUM Persistent Hook Installed Outside Skill Directory -10 ▶
clawbrain setup installs hook code into ~/.openclaw/hooks/ or ~/.clawdbot/hooks/, which are system-level hook directories outside the skill's own directory. These hooks persist independently of whether the skill is active or installed, meaning removal of the skill package does not necessarily remove the running hook.
LOW Security Scanner Deflection Section in SKILL.md -15 ▶
The SKILL.md opens with a dedicated '📋 For Security Scanners' section that preemptively addresses known automated security scanner heuristics: missing env var declarations, sudo requirements, install mechanism disclosure, and credential handling. This pattern — where skill documentation is explicitly written to anticipate and neutralize scanner findings — is atypical of straightforward utility skills and suggests the author expected this scrutiny, which may warrant extra-thorough manual review.
LOW Repository Provenance Change and Rapid Version Iteration -10 ▶
The _meta.json version history shows the earliest commit (0.1.3) originates from github.com/clawdbot/skills, while subsequent versions (0.1.6+) originate from github.com/openclaw/skills. The skill has released 4 versions rapidly. A repository ownership/organization change mid-development increases supply chain uncertainty and makes auditability of the full change history harder.
INFO Canary Files Read During Audit Window (Monitoring Framework) 0 ▶
auditd PATH records show reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json during the audit window. However, the six reads at 1771923839.973 are all at an identical timestamp, consistent with the oathe framework's own batch canary validation pass. The pre-install reads at 1771923817 are baseline checks. Official canary check confirms all files intact.