Back to skill

Security audit

MemCore 记忆核心

Security checks across malware telemetry and agentic risk

Overview

MemCore appears to be a legitimate local memory system, but it installs and runs broad persistent indexing of private OpenClaw workspace data without clear enough consent and retention controls.

Review this before installing. It is not showing malware-like exfiltration, and the static scan was clean while VirusTotal was still pending, but installation and routine use can immediately process and persist sensitive OpenClaw workspace memories, session state, search queries, and generated summaries. Install only if you are comfortable with local durable indexing, and prefer running it after backing up ~/.openclaw and deciding whether to enable cron/meeting-end automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill instructs the agent to run shell commands and interact with local files, but it does not declare any permissions. That creates a capability/transparency gap: operators may enable or trust the skill without understanding it can read and write workspace data and invoke Python tooling, increasing the chance of unintended file access or modification.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The retriever silently writes search telemetry into a separate feedback database even though its apparent purpose is memory lookup. In a memory system, queries can contain highly sensitive user intent, secrets, incident details, or personal data, so undisclosed persistence expands the data exposure surface and creates a secondary store that may be less protected or retained longer than expected.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The code parses and persists active SESSION-STATE.md contents into the trace index, including key context values and correction records, even though the module description frames the feature as indexing daily markdown logs. SESSION-STATE files commonly contain live session context, proper nouns, decisions, and possibly transient secrets or sensitive operational details, so broad ingestion expands the data retention surface and can expose information to later retrieval flows unexpectedly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly says that saying “散会” causes the system to summarize conclusions, write lessons into MEMORY.md, index logs, decay memories, and update state automatically. That is a real safety issue because it describes persistent data modification triggered by a natural-language event without a prominent warning, confirmation step, or clear consent boundary, which can lead to unintended writes, corruption of memory state, or privacy-sensitive data being stored durably.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file documents unattended scheduled maintenance at 04:00 and 16:00 that indexes logs, derives patterns, decays memories, and refreshes briefs “不打扰,” but does not clearly foreground that background processing will continuously change stored state. This is dangerous because users may assume the skill is passive documentation/retrieval while it is actually performing autonomous data processing and mutation, increasing the risk of unnoticed data retention, unexpected behavioral drift, and hard-to-audit state changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installer unconditionally creates a directory under the user's OpenClaw workspace and copies Python modules into it without prompting, dry-run output, or requiring an explicit destination override. In an agent-skill context, silently modifying a live workspace can overwrite trusted components, introduce unreviewed code into future agent runs, and surprise users who did not intend to install into that path.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
If a memory directory already exists, the installer immediately runs several Python commands that operate on the user's workspace data, causing indexing, induction, feedback, and brief-generation side effects without separate approval. In this skill's context, that is more dangerous because the tool is specifically designed to ingest and analyze historical memory, so install-time execution can process sensitive workspace contents and mutate state before the user has reviewed or configured the skill.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code persistently stores free-form user feedback notes and retrieval queries in ~/.openclaw/feedback.db without any visible consent, minimization, retention, or access-control measures in this component. Because queries and notes can contain sensitive prompts, personal data, secrets, or proprietary context, local persistence increases privacy and data-exposure risk, especially on shared systems or when the database is later exfiltrated.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code logs user search queries to feedback storage without any user-facing notice or consent. Search terms in a memory assistant are especially sensitive because they can reveal private projects, credentials, health matters, financial topics, or internal incidents, and the hidden log creates a durable privacy risk beyond the immediate retrieval operation.

Ssd 3

Medium
Confidence
86% confidence
Finding
The retriever returns raw trace, observation, reflection, and world-model excerpts in plaintext, which can expose previously stored sensitive user data to any caller with retrieval access. In this skill context, the danger is elevated because the system is explicitly designed to aggregate long-lived memory across sessions, making unintended disclosure of historical secrets, personal data, or internal notes more likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.