虾尊记忆自动管理器

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it creates an ongoing background process that reads private conversations and stores selected details without clear limits or cleanup controls.

Install only if you are comfortable with a scheduled OpenClaw task reading your conversations and saving selected details long-term. Avoid using it with secrets or sensitive chats unless you add redaction, review, deletion, and retention rules. Keep Feishu delivery disabled unless you know the destination and exact notification contents.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The weekly cron sends a Feishu notification, which creates an outbound data flow beyond the stated purpose of local conversation scanning and memory maintenance. Even if the payload is only a completion notice, external delivery expands the trust boundary and can leak metadata about user activity, schedule, or system usage without clear necessity.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly promotes automatic scanning of conversation history and writing detected information into persistent memory, but it does not disclose the privacy implications, consent expectations, retention behavior, or what kinds of data may be captured. Because conversation transcripts often contain sensitive personal, operational, or credential-adjacent information, undocumented background collection materially increases privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill is designed to automatically read conversation transcripts and persist extracted information into memory files, but the description does not clearly warn users about privacy, retention, or the scope of data collection. This is dangerous because sensitive user and assistant content may be continuously copied into durable storage without informed consent or clear retention boundaries.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The weekly merge workflow includes sending a completion notification to Feishu, but the skill text does not prominently warn that information will be delivered to an external service. This is risky because users may assume all processing is local while operational metadata or message content is transmitted off-platform.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script prints raw transcript excerpts from both user and assistant messages directly to stdout. In this skill’s context, stdout is likely consumed by logs, cron output, or another AI stage, so sensitive conversation content may be exposed beyond its original scope without consent or minimization.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The instructions explicitly direct the agent to read all new user and assistant transcript content and persist important parts into memory artifacts on an ongoing basis. In context, this creates broad automated retention of potentially sensitive conversation-derived data, increasing exposure if memory files are later accessed, merged, or exfiltrated.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The cron prompt operationalizes automatic reading of new user and assistant messages and recording of 'important information' without a strong privacy guardrail or explicit user approval. Because this runs periodically and silently, it can accumulate sensitive facts over time and make them easier to misuse or expose than the original transient conversation stream.

Ssd 3

Low

Confidence: 85% confidence
Finding: The weekly merge consolidates accumulated conversation-derived memory into a longer-lived summary, reinforcing retention and increasing the value of the artifact as a target. While summarization itself is not inherently malicious, combining ongoing retention with periodic consolidation broadens the impact of any later unauthorized access or accidental sharing.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The script emits newly scanned conversation messages and current memory content to stdout, which can leak private data into terminal history, cron mail, centralized logging, or downstream agent-visible output. Because this skill is designed to automatically scan conversations every 15 minutes, the exposure is recurring and broadens the blast radius of any sensitive data present in chats.

Ssd 3

High

Confidence: 97% confidence
Finding: The cron job explicitly instructs an isolated agent to read transcript content from both user and assistant messages, extract 'important information,' and persist it into memory files every 15 minutes. This creates a continuous data-retention pipeline for potentially sensitive conversation content without any scoped consent, minimization, exclusion rules, or privacy guardrails, increasing the risk of storing secrets, personal data, internal decisions, and other sensitive material long-term.

Session Persistence

Medium

Category: Rogue Agent
Content: cp -r scripts/memory-scan.py ~/.openclaw/scripts/ # 初始化 scan-state.json mkdir -p ~/.openclaw/workspace/memory echo '{"last_scan_ts": 0}' > ~/.openclaw/workspace/memory/scan-state.json # 创建 cron（需要手动替换 transcript 路径）
Confidence: 82% confidence
Finding: mkdir -p ~/.openclaw/workspace/memory echo '{"last_scan_ts": 0}' > ~/.openclaw

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal