Cognitive Brain

Security checks across malware telemetry and agentic risk

Overview

This is a real memory skill, but it stores and reuses broad conversation history with too little user control or privacy disclosure.

Install only if you intentionally want persistent cross-session memory. Use a dedicated local database account, review the session-file scanning and hook behavior, avoid root or one-shot auto setup on sensitive hosts, regenerate dependencies from trusted HTTPS registries, and confirm you have a way to inspect, disable, and delete stored memories before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (54)

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: This hook can invoke `execSync('npm install --production')` against a skill-controlled directory at runtime, which creates an unnecessary code-execution and supply-chain surface for a recall handler. If the package manifest or registry resolution is influenced, the install step may execute lifecycle scripts or pull attacker-controlled code with the agent's privileges.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The code opens and parses full session transcript files from `/root/.openclaw/agents/main/sessions` to mine assistant replies, which exceeds the minimum access needed for message recall. This broad file access can expose unrelated conversation history and sensitive data across sessions, especially because the session file is read wholesale and searched heuristically.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The installer claims to perform a simple installation, but it runs `npm install --include=dev`, which can execute arbitrary lifecycle scripts such as `postinstall` from the downloaded package tree. Because the repository is cloned from the network immediately beforehand, this gives remote code execution during installation with the user's privileges.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The module is presented as an explainability component, but it persistently stores decision, recall, and context data to a file under the user's home directory. In a skill context, that creates a privacy and transparency issue because users and integrators may not expect sensitive behavioral data, queries, and recalled content to be retained on disk.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The loader retrieves shared memory and explicitly prints personally identifying and contextual data to stdout, including the user's name and contact information. In a session-start component, stdout is often captured by terminals, logs, orchestration layers, or monitoring systems, so this creates an unnecessary data exposure path for sensitive information.

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The script is presented as a local embedding generator, but it hard-codes HF_ENDPOINT to an external mirror, which can trigger remote downloads during model initialization. This creates an undisclosed supply-chain and privacy risk because text-processing infrastructure that operators believe is local may depend on a third-party service and fetch model artifacts from outside the environment.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation states that automatic setup can install PostgreSQL, Redis, and pgvector and explicitly notes it may require root privileges, but it does not provide a prominent warning or require explicit confirmation for system-level changes. In an agent skill context, one-command installation that may invoke privileged package installation materially increases the risk of unintended host modification and supply-chain abuse.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The reset command is documented as clearing memory data, but the destructive nature is not highlighted with a strong irreversible-data-loss warning. In an automated agent environment, terse documentation around destructive commands can lead to accidental execution and loss of retained conversation history or operational state.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The uninstall command is described as removing databases, hooks, and configuration files, but the documentation does not prominently warn about the breadth of deletion. This is dangerous in a skill ecosystem because users or agents may treat uninstall as harmless cleanup while it can remove persistent data and alter host integration points.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases are broad, common conversational terms such as '记得', '不对', and '总结', which can fire during ordinary user dialogue rather than an intentional memory-management request. In a skill that encodes, recalls, reflects on, and forgets cross-session data, accidental activation can cause unintended storage, retrieval, or modification of user memory context.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The description explicitly advertises '跨会话记忆注入' (cross-session memory injection) but provides no indication of consent, scoping, or user-visible notice. Automatically reusing prior-session data without clear disclosure creates a substantial privacy and data-handling risk, especially if prior conversations contain sensitive personal or confidential information.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The installation guide instructs users to run privileged package-management and service-management commands that alter the host system, but it does not clearly warn about root privileges, service persistence, or operational impact. In a skill-installation context, this increases the chance that users will execute broad system changes without understanding the trust boundary or reviewing the commands first.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide shows a plaintext password being entered and later suggests direct password changes without any warning about secret exposure. This encourages unsafe handling of credentials in terminals, shell history, screenshots, and shared documentation, which can lead to credential leakage.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The configuration section normalizes storing database credentials in a local config file and even demonstrates setting a password via a command, without warning about file permissions or safer secret-storage options. In an install guide, this can directly lead users to persist secrets in readable files or commit them to version control.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The hook explicitly describes automatic cross-session recall of user preferences, facts, and recent episodes from a PostgreSQL memory store and injection of that context at bootstrap, but it provides no mention of user consent, notice, opt-in controls, or data minimization. This creates a real privacy and security risk because sensitive historical data may be surfaced into new sessions or exposed to agents and workflows that the user did not expect.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Automatically spawning a subprocess to install dependencies without user knowledge or approval is unsafe in a hook context, because it changes the host environment and can execute untrusted package install logic. In a privileged agent runtime, this can become arbitrary code execution or persistent tampering.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The hook automatically persists user messages into long-term memory storage without any visible disclosure, consent, or filtering of sensitive content. That creates a privacy and data-retention risk, and stored content is later eligible for reinjection into future prompts, amplifying accidental exposure.

Missing User Warnings

High

Confidence: 95% confidence
Finding: Assistant replies are harvested from persisted session files and re-stored without disclosure, extending retention beyond the immediate session. This can capture sensitive model output, operational details, or prior context not intended for long-term storage, then reuse it in later interactions.

Missing User Warnings

High

Confidence: 94% confidence
Finding: The skill infers and writes user profile data to disk (`user_model.json`) without visible warning, including name, preferences, communication style, and interaction patterns. Silent profiling increases privacy risk and creates a durable sensitive artifact that may be accessed by other components or leaked later.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script creates directories, clones or updates a remote repository, and installs packages without an explicit consent checkpoint or clear warning about those side effects. In an installer context this increases the chance that users trigger network activity and code execution they did not fully understand, especially when combined with the advertised one-liner install flow.

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: The lockfile hard-codes package downloads to `http://mirrors.tencentyun.com`, a region-specific third-party mirror, rather than the default npm registry over HTTPS. This creates a supply-chain risk because installs depend on an externally controlled mirror and, due to plain HTTP, package metadata and tarball URLs are exposed to tampering or interception in transit.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The export command prints the full in-memory network to stdout, and that network is populated from the database in loadFromDB(). If concept metadata or associations contain sensitive internal data, stdout exposure can leak it to logs, calling processes, shell history workflows, or other users with access to captured output.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The script permanently deletes rows from the episodes table as part of the optimization task with no confirmation, dry-run mode, safeguard, or visible warning to the operator. In an agent/skill context, this can cause silent loss of historical memory and reduce auditability or recovery if the task is triggered unintentionally or with overly broad criteria.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The save() path writes accumulated explanation entries directly to .explanation-log.json without any notice, consent flow, or access control checks. Because explanations include user intent, recall queries, and memory-derived content, this silently creates a local data exhaust that could expose sensitive user information to other local processes or later operators.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: This code performs permanent deletion of records from the episodes table without an explicit confirmation gate, dry-run requirement, or transactional safeguard at the point of execution. In a skill context that manages memory/state, mistaken invocation, bad configuration, or logic drift can cause irreversible loss of data, making the destructive behavior materially risky even though it is not overtly malicious.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal