Back to skill

Security audit

Layered Memory Sys

Security checks across malware telemetry and agentic risk

Overview

This memory skill is purpose-aligned, but it needs Review because it can read conversation logs, persist or delete memory data, and expose unauthenticated local API/WebSocket services.

Install only if you intentionally want a local long-term memory service with access to recent OpenClaw session logs. Before enabling it, bind API and WebSocket services to localhost or add authentication, disable auto-write and remote providers unless needed, review SESSION_DIR and MEMORY_DIR, make backups, and avoid running the installer as root unless you want a persistent system service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (33)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The installer creates and enables a systemd unit, which modifies host-level service configuration and causes the skill to persist beyond the immediate install session. For a memory-management skill this is broader-than-minimal system impact and can surprise users, especially because it starts automatically on boot.

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
Starting the API with nohup creates a detached background process that persists after the installer exits, which is a form of host process management not strictly necessary for installation. This can lead to unexpected long-running services, port exposure, and operational confusion if the user did not clearly consent to auto-start behavior.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The module reads agent session transcripts from a global sessions directory and exposes searchable excerpts and recent-message summaries. Session logs commonly contain highly sensitive prompts, secrets, tokens, personal data, and unrelated conversations, so this creates a broad data-access capability outside the stated layered-memory store and can leak data across contexts.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Using a hard-coded global path (/root/.openclaw/agents/main/sessions) gives the skill visibility into unrelated runtime session files, bypassing normal data-boundary expectations. This increases the chance of unauthorized cross-session or cross-task data access and makes the behavior environment-specific and hard to audit.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The generated HTML loads Chart.js from a third-party CDN, creating an unnecessary network dependency for a local statistics/reporting tool. If the CDN is unavailable, blocked, or serves a tampered script, opening the report can execute attacker-controlled JavaScript in the user's browser and expose report contents or perform actions in that browser context.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The WebSocket server subscribes to every event in the internal event bus and broadcasts each event payload to every connected client without any authentication, authorization, or event filtering. In a layered-memory system, internal events are likely to contain sensitive memory contents, metadata, backup activity, archive operations, or administrative state, so exposing all events creates a broad data-leak and system-observation channel.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code starts a WebSocket listener on a network port and accepts any client connection, but there is no authentication, origin validation, token check, or access control. That makes the event stream available to any party that can reach the port, enabling unauthorized monitoring of application activity and potentially sensitive memory-management operations.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code scans raw session transcript files from a filesystem path and derives persistent memories from user messages without an explicit trust boundary or consent check. In a memory-management skill, accessing prior conversations may be functionally related, but reading arbitrary session files from disk broadens data access and can capture sensitive content beyond what users reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
When API mode is enabled, the module transmits raw text to third-party embedding providers. In a long-term memory system, that text can contain sensitive memories, prompts, secrets, or personal data, so this creates a real data-exfiltration/privacy risk beyond purely local processing.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The summarizer transmits session dialogue content to third-party LLM endpoints and pulls provider API keys from environment variables, which creates a real data-exfiltration path for potentially sensitive memory/session content. In a long-term memory system, session context may include personal data, secrets, or internal reasoning, so sending it externally without explicit consent, policy checks, redaction, or manifest justification materially increases privacy and compliance risk.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
This module provides broad access to raw session logs, including search across recent files, full-session context retrieval, and bulk aggregation of recent messages. In a memory-management skill, that creates a privacy boundary issue because historical conversations may be exposed beyond the minimum data needed for layered-memory functions, and there is no visible authorization, scope restriction, or consent check in this file.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The README explicitly instructs users to configure persistent memory and session log storage, but it does not warn that these files may contain sensitive prompts, user data, or long-term behavioral history. In a memory-management skill, silent persistence materially increases privacy and retention risk because operators may enable the feature without understanding what is being stored or for how long.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README exposes local REST and WebSocket endpoints and provides example requests, but it does not mention authentication, binding restrictions, or the risk of exposing local memory data to other users/processes on the host or network if misconfigured. For a service handling long-term agent memory, undocumented access-control expectations can lead to unauthorized read/write access and data leakage.

Vague Triggers

Medium
Confidence
73% confidence
Finding
The trigger words include broad, common terms such as '记忆', '分层', '归档', and '备份', which raises the chance of accidental invocation in unrelated conversations. Because this skill can alter stored data, run maintenance tasks, and potentially initiate install/deployment workflows, unintended activation increases the risk of unwanted state changes or privileged actions.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation describes deletion, archival, overwrite-on-import, automatic forgetting, and automated backups, all of which can materially affect user data, but it does not present clear warnings, confirmation requirements, rollback guidance, or data retention implications. In a memory-management skill, these are safety-critical operations because accidental execution can permanently remove or expose sensitive records.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The auto-write triggers are broad natural-language phrases such as '记住', '别忘了', and generic completion markers like '已经' and '成功', which can easily appear in ordinary dialogue rather than deliberate persistence requests. In a memory-management skill with automatic writing enabled, this can cause unintended storage of conversational content, including sensitive or irrelevant data, and makes prompt-triggered persistence easier for untrusted users.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script writes configuration files, creates a systemd unit, may copy files into /etc/systemd/system, and launches a background process without a prominent upfront summary of these host changes. Lack of clear disclosure increases the risk of users unknowingly granting persistence and service exposure on their machine.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code automatically reads recent session logs, extracts user/assistant content, and persists derived summaries into the long-term memory index and archive without any consent, notice, or per-item approval flow. In a memory-management skill, this behavior is core functionality, but it still creates a real privacy and data-retention risk because sensitive conversation content can be silently promoted into longer-lived storage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code parses session logs and returns content snippets, and the CLI prints matched conversation text directly to stdout without any warning, consent prompt, or masking. If an operator runs this tool, sensitive conversation data may be disclosed on-screen, logged by terminals, or captured by surrounding automation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The service transmits internal event data over the network to all connected clients, yet the code shows no indication of consent, disclosure, or scoping of what data leaves the process. In this skill context, which manages long-term memory and backups, silent network broadcasting increases the risk of unintentionally exposing sensitive user memories or operational metadata to observers.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code persists conversation-derived memories automatically when trigger phrases are detected, and does so without any explicit consent gate, approval workflow, or user-facing notice at write time. In a long-term memory skill, this creates a real privacy and data-retention risk because sensitive user disclosures may be stored permanently or semi-persistently based on natural-language cues that can be ambiguous or accidental.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
User messages from session files are automatically persisted into memory storage based on keyword matching, with no visible disclosure, confirmation, or consent flow in this code path. This creates a stealthy data collection and retention mechanism that can store sensitive personal or operational information users did not intend to preserve long-term.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The embedding refresh path sends concatenated memory title and summary to an embedding function with no visible indication of whether processing is local or remote and no disclosure of outbound data handling. If the embedding provider is external, sensitive memory contents may be transmitted off-box without informed consent or data governance controls.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The dream cycle automatically deletes flash-layer memories and archives other active memories once TTL is exceeded, with no explicit user confirmation, safety interlock, dry-run mode, or recovery path visible in this file. In a long-term memory management skill, unattended destructive actions can cause irreversible data loss or silent corruption of an agent's memory state, especially because this logic is triggered as part of an automated maintenance workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends supplied text to external embedding endpoints without any user-facing warning, consent flow, or visible privacy boundary. Because this skill manages persistent memory, users may reasonably expect local handling, making silent remote transmission especially risky.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/search/embedder.mjs:34

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/search/llm-summarizer.mjs:40