Memory Pill

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only memory/orchestration skill that persistently organizes OpenClaw workspace files; its main risks are disclosed local memory storage and optional under-scoped integrations, not malicious behavior.

Install only if you want OpenClaw to maintain persistent workspace memory and agent behavior files. Before activation, ask the agent to show planned changes or diffs, avoid storing secrets or sensitive personal data, review ~/.openclaw/workspace periodically, and treat email/calendar checks and the optional cron command as separate opt-in actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill extends beyond memory/orchestration into checking urgent emails/calendar and scheduled maintenance behavior. That broadens access to sensitive external data and introduces actions outside the declared purpose, increasing the chance of overreach or unintended privacy-impacting behavior.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Inspecting urgent emails/calendar is not necessary for a memory/orchestration skill and can expose highly sensitive personal or business information. Even if framed as a heartbeat check, this creates an unjustified privilege expansion and weakens least-privilege boundaries.

Context-Inappropriate Capability

Low

Confidence: 82% confidence
Finding: Optional cron-based scheduled execution introduces persistence and autonomous re-entry that are not clearly required by the skill’s stated purpose. This can cause the agent to act later, outside the user’s immediate awareness, and increases operational risk if the scheduled command evolves or is misconfigured.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The skill states 'never auto-setup' and 'ask permission,' but its activation flow instructs immediate filesystem creation and modification. This contradiction can cause silent persistent changes after a broad trigger phrase, undermining user expectations and informed consent.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger phrase 'Take the pill' is broad and maps to a large set of audit and modification actions. A casual or ambiguous user utterance could unintentionally activate persistent changes, especially because the skill couples the phrase to a multi-step setup flow.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The upfront activation section does not clearly warn that the skill will inspect, create, and modify persistent files under the user’s workspace. Without an immediate disclosure, users may invoke it without understanding the storage, retention, and mutation consequences.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill instructs persistent recording of user-provided information into daily logs and fact stores without defining consent boundaries, retention limits, or sensitive-data exclusions. This can lead to accumulation of personal, confidential, or regulated information beyond what the user intended to store.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The BOOTSTRAP flow solicits identity and user profile details for storage in IDENTITY.md and USER.md through conversational onboarding. Collecting and persisting profile data without a clear privacy notice, purpose limitation, and consent mechanism creates unnecessary privacy risk.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The daily-notes and fact-extraction guidance encourages continuous retention of preferences, decisions, and constraints in persistent storage. Without minimization rules, this can become a broad behavioral dossier containing more user data than is necessary for task completion.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal