Good Memory

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to restore chat memory, but it automatically reads and reinserts prior session history and persists startup behavior without enough user control.

Review before installing. Use this only in a trusted, single-user OpenClaw environment where automatic restoration of prior chat history is desired. Avoid it for shared agents or sensitive workflows unless you add explicit opt-in, restrict session scope, back up AGENTS.md, validate the installer source, and provide a clear way to disable and delete the tracker.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (26)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 6. 如果有last_history，读取历史记录 if reset_detected and last_history and os.path.exists(last_history): log(f"读取历史记录：{RECOVERY_SCRIPT} read-file {last_history}") history_result = subprocess.run( [RECOVERY_SCRIPT, "read-file", last_history, "--lines", "50"], capture_output=True, text=True,
Confidence: 87% confidence
Finding: history_result = subprocess.run( [RECOVERY_SCRIPT, "read-file", last_history, "--lines", "50"], capture_output=True, text=True,

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The installer advertises configurable install paths via environment variables, but the embedded Python block ignores them and reads/writes fixed paths under /root/.openclaw. This can cause the script to touch the wrong user's data, silently fail in non-default deployments, or bypass administrator expectations about where session data should live.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The injected AGENTS.md block hard-codes recovery script paths under /root/.openclaw even though the installer claims path customization. In customized environments this can execute the wrong code path, break startup behavior, or unexpectedly reference another installation's files.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script persistently records agent/chat-to-session mappings and session history across resets in a tracker file, which goes beyond transient context restoration and creates a durable metadata store of user interactions. In this skill context, that behavior is privacy-sensitive because it links identities and prior session artifacts across boundaries the user may reasonably expect to be ephemeral.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The `read-file` command accepts an arbitrary path and passes it to `tail`, allowing the script to read any file the current user can access, not just reset/session files. In the context of a session-recovery skill, this unnecessarily broadens the capability into a generic file-reading primitive, which can expose unrelated sensitive data if invoked by another component or mistaken user.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation states that prior conversation history is automatically restored after a session reset, but it does not warn users that potentially sensitive prior messages may be reintroduced into a new session context. This can expose private data unexpectedly, especially on shared devices, multi-user agents, or when users assume a reset cleared context.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The description says the skill runs automatically after installation and on every session start, but does not define strict trigger conditions or scope. Broad automatic activation increases the chance of unintended execution, surprise behavior, and unauthorized access to prior session data.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documentation emphasizes seamless automatic operation but does not clearly warn that the skill reads prior conversation history and modifies AGENTS.md. Because session histories can contain secrets or private data, failing to disclose these behaviors meaningfully undermines user awareness and consent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script downloads an archive from a remote endpoint and then immediately executes a nested installer from the extracted contents with no signature verification, checksum validation, pinning, or meaningful warning to the user. This creates a supply-chain execution path where compromise of the download server, DNS/TLS interception, or replacement of the archive leads directly to arbitrary code execution on the host.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script logs agent, chat_id, and session_key directly to a file. These identifiers can be sensitive correlation tokens, and persisting them without minimization or user disclosure increases the risk of session tracking, leakage to other local users/processes, and forensic exposure.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill automatically reads prior conversation history and injects it into the agent context without meaningful consent, filtering, or trust separation. In an agent environment, this is dangerous because old user content or adversarial prompts can be elevated into a fresh session and influence future behavior or expose prior sensitive data.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The installer enumerates session metadata and reads existing session files to build a tracker, but it does so during installation without explicit consent or a clear privacy warning. Because this skill's purpose is to recover conversation history, silently processing historical chat data increases the risk of unexpected disclosure of sensitive prior conversations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The installer modifies AGENTS.md to add automatic execution instructions without an explicit approval step, backup prompt, or prominent notice that user/agent configuration is being altered. Silent persistence into startup configuration is security-relevant because it changes future agent behavior and can be hard for users to notice or undo.

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: The script's messaging says operation is fully automatic and not perceptible to the user, which undermines transparency for a feature that accesses and restores prior conversation state. For a memory-restoration skill, reducing user awareness makes accidental disclosure or misuse of sensitive history more likely.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script silently initializes and writes a tracker file that persists cross-session metadata without any notice, consent, or audit surface for the user. In a session-recovery skill, undisclosed persistence is more dangerous because users may believe resets clear context, while the script preserves linkage data behind the scenes.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The script consumes path-related environment variables and defaults to writing under /root/.openclaw, creating persistence in a sensitive root-scoped location without informing the user. If executed with elevated privileges or inherited environment state, this can lead to unexpected data placement, privacy issues, or writes to attacker-influenced paths.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script prints recovered conversation history directly to stdout, including user and assistant message text that may contain secrets, credentials, personal data, or prior system instructions. Because this skill is specifically designed to recover session history after resets, its core data source is likely to be highly sensitive, making unguarded disclosure more dangerous in this context than in an ordinary log-viewing tool.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The changelog describes automatically restoring prior session context across resets and increasing retained history, which expands reuse of previously stored user content. In a session-oriented system, this can expose sensitive prior conversation data to a later context, especially if reset boundaries are meant to clear memory or if session/user mapping is imperfect.

Ssd 3

Medium

Confidence: 95% confidence
Finding: This change promotes direct parsing of raw session JSONL, including tool calls and results, to rebuild context from prior sessions. Raw transcripts and tool outputs commonly contain secrets, file paths, tokens, or sensitive user data, so broad replay into a new session materially increases the chance of privacy leakage or cross-session data exposure.

Ssd 3

Medium

Confidence: 94% confidence
Finding: Reading and formatting the last 30 records, including user, assistant, and tool operation history, into files for later agent consumption creates additional copies of sensitive transcript data and broadens access paths. This increases the attack surface for unintended disclosure, especially if temporary files, trackers, or downstream agents are accessible outside the original privacy context.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The documented recovery workflow instructs reading previous session files from stored paths after reset detection. Any design that reopens historical transcript files based on tracker state risks exposing old conversation content if path validation, ownership checks, or reset semantics are weak.

Ssd 3

Medium

Confidence: 89% confidence
Finding: This earlier workflow likewise directs reopening prior session files to restore context after reset. Even if intended for continuity, it weakens the privacy boundary that a reset normally implies and can leak historical transcript data if the mapping between current and prior sessions is incorrect or attacker-influenced.

Ssd 3

High

Confidence: 98% confidence
Finding: The core feature is automatic restoration of the last 50 messages from previous sessions after reset or session rotation. This creates a natural-language data leakage path because prior conversation content, potentially including secrets or sensitive user data, is reintroduced into a new session without clear per-event consent or isolation guarantees.

Ssd 3

High

Confidence: 99% confidence
Finding: The code injects prior conversation content, including user-supplied text, directly into the new session context with no minimization or trust-boundary enforcement. This creates a cross-session data leakage and prompt-injection channel, especially risky because the script states the platform will treat its output as a system message.

Ssd 3

High

Confidence: 99% confidence
Finding: The injected startup instructions automatically run a recovery script and state that prior conversation output will be inserted at the beginning of the dialogue without user action. In this skill context, that means historical chat content can be surfaced into a new session automatically, creating a direct confidentiality risk if resets were intended to clear context or if multiple users share access.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal