Fluid Memory

Security checks across malware telemetry and agentic risk

Overview

Fluid Memory is a local memory plugin that stores conversation content in plaintext for recall and forgetting, which is sensitive but mostly disclosed and aligned with its purpose.

Install only if you want OpenClaw to keep a local, unencrypted memory of conversations. Enable the hook deliberately, avoid sending secrets while it is active, protect or periodically clear ~/.openclaw/workspace/database/, and do not run the daemon unless you want scheduled cleanup that can eventually delete archived memories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (19)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill's stated purpose is memory decay/forgetting, but it also performs proactive conversation summarization, extracts structured personal facts, and stores them persistently. This materially expands data collection beyond the declared function, increasing privacy risk and creating unexpected retention of sensitive user information.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The recall path silently writes the user's query back into persistent memory during retrieval, turning a read operation into covert data collection. This is dangerous because users and calling systems may reasonably expect recall to be non-mutating, while the implementation continuously captures plain-language inputs without transparent consent.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The incremental summarization logic explicitly treats 'NSFW' as a keyword worth retaining, despite the skill being described as a forgetting/archiving memory mechanism. This increases the chance that sexual or otherwise sensitive content is preferentially captured and persisted without necessity, creating elevated privacy and compliance risk.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill claims a forgetting/archiving mechanism but this hook simply persists raw user conversation content to a local file under a database-like path. That mismatch is security-relevant because users may expect decay or temporary handling, while sensitive prompts are actually retained indefinitely in plaintext.

Intent-Code Divergence

Low

Confidence: 85% confidence
Finding: The header comment says conversations are recorded to a temporary file for later processing, but the code writes to a persistent file in a database/workspace path. Misleading storage semantics can cause operators and users to underestimate data retention and exposure of sensitive content.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill’s stated behavior is forgetting/archiving memories, but the implementation also permanently deletes archived records after 120 days. In a memory-management component, this mismatch is security-relevant because it can cause irreversible data loss beyond user expectations, undermine auditability, and remove information that users may assume is merely hidden or recoverable.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The docstring claims the task archives low-score memories, but the same function later performs permanent deletion of archived items. This discrepancy increases operational risk because maintainers or users reviewing the function contract may approve or invoke it believing it is non-destructive, when it actually contains destructive behavior.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The recall trigger phrases are broad enough to match ordinary conversation, which can cause unintended memory lookups and reinforcement of stored data. In a memory skill, accidental recall is privacy-relevant because retrieval may expose prior user content and also strengthens memories without clear consent.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Telling the model to invoke tools based on vague 'understanding user intent' without firm boundaries increases the chance of over-triggering memory actions. In this context, ambiguous activation can lead to unconsented storage, retrieval, or forgetting of user data, especially since the skill promotes automatic learning behavior.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill states that automatic learning is triggered during memory flush, but it does not present this as a prominent user-facing warning or meaningful consent checkpoint. Because this behavior records conversation content automatically, inadequate disclosure can result in covert collection of sensitive personal data and unexpected persistence.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Conversation data is automatically stored during recall without a clear user-facing warning or consent boundary. In a memory skill, this is especially risky because users may disclose secrets, credentials, or personal data in queries that then become durable records unexpectedly.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill writes summaries of conversations to a persistent local buffer file without clear disclosure, causing user data to survive across runs outside the visible vector store. Hidden local persistence expands the attack surface and can expose sensitive data to other local processes, backups, or operators.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The hook explicitly states that every sent message is appended to a local conversation log, but the documentation provides no warning, retention limits, access controls, or guidance about sensitive data handling. Because chat content can contain secrets, personal data, or proprietary information, undocumented disk logging increases the risk of unintended disclosure through local compromise, backups, shared environments, or misconfigured file permissions.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The hook writes all sent message content to a local log file without any indication of consent, notice, or control in this code path. Because user messages often contain credentials, personal data, or confidential text, silent persistent logging materially increases privacy and disclosure risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code permanently deletes archived memories automatically with no confirmation, warning, dry-run mode, or approval step. In a persistence layer handling user memory, silent irreversible deletion is dangerous because mistakes in timestamps, status assignment, or decay policy can mass-delete records without any chance for recovery.

Ssd 3

Medium

Confidence: 98% confidence
Finding: Automatic conversation logging stores every recall query as memory, enabling accumulation of user-provided content in plain language over time. Because this occurs during a routine retrieval action, the skill can silently build a sensitive profile of user interests, requests, and disclosures beyond expected operational need.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The summarization routine extracts structured categories such as preferences, decisions, todos, and learning points, then stores them as persistent memory. Structured personal profiling is more sensitive than raw storage because it makes downstream inference and reuse easier, increasing privacy risk and potential misuse.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The incremental summary buffer accumulates facts from conversations across rounds and persists them for later storage, creating hidden longitudinal tracking. This design is more dangerous in context because the skill is presented as a forgetting mechanism, yet it actually preserves and consolidates user data over time.

Ssd 3

Medium

Confidence: 98% confidence
Finding: User messages are stored persistently in plaintext in a predictable local file path, creating a straightforward confidentiality risk if the host is multi-user, backed up, compromised, or inspected by other software. In the context of a memory skill, conversations are especially likely to include sensitive personal or operational information, which makes plaintext retention more dangerous.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal