Back to skill

Security audit

Memoclaw Skill

Security checks across malware telemetry and agentic risk

Overview

MemoClaw appears to be a legitimate remote memory service, but it needs review because it can upload persistent personal or conversation data and uses a wallet private key for identity and paid calls.

Install only if you trust MemoClaw and its npm CLI with remote memory storage and wallet-based payments. Use a dedicated low-balance wallet, do not store secrets or sensitive personal data, verify the endpoint before use, require manual approval for ingest, migrate, export, purge, force, yes, and paid commands, and periodically review or delete memories that should not persist.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill presents itself as a memory service, but its documented behavior extends into local environment inspection, CLI installation/setup, config-file use, shell access, and filesystem operations. That mismatch matters because agents may grant broader trust or permissions than expected, causing unnecessary exposure of local state and enabling actions outside the narrow memory-storage purpose.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The skill instructs use of shell execution for generic environment checks and command invocation, which increases attack surface because an agent with exec access can run arbitrary local commands beyond the core memory operation. In a skill intended for remote memory storage, encouraging broad shell use creates opportunities for command abuse, data exposure, or unsafe chaining with other tools.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The documented setup and completion flows include local filesystem modification and shell-profile persistence, which are not required for basic remote memory use and can alter a user's environment in lasting ways. Persistent shell changes and local file writes are risky in an agent context because they can affect future sessions, leak data, or create hard-to-audit side effects.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The security section claims the skill only makes HTTPS calls to api.memoclaw.com, but later documentation allows MEMOCLAW_URL to override the endpoint. This undermines the trust boundary stated to users and could redirect sensitive memory contents or wallet-authenticated requests to an attacker-controlled server.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes persistent storage of user facts and semantic recall but gives no privacy warning, data minimization guidance, or caution against storing secrets/regulated personal data. In a memory service where data is sent to a remote embedding-backed system and tied to a wallet identity, this omission can lead agents or operators to store sensitive information inappropriately, increasing privacy, compliance, and data exposure risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The quickstart immediately instructs users to initialize a wallet and store memories without warning that wallet-linked usage creates an identity association and that several commands incur paid calls after the free tier. This is risky because agents may begin sending user data to a paid remote service and triggering micropayments before the operator understands the privacy and billing implications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill encourages storing personal information such as user preferences and personal details, but does not pair that guidance with a clear, prominent warning that this data is sent to a third-party remote service. In an agent setting, that can cause privacy-harming disclosures without informed user consent.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The API explicitly supports ingesting and extracting facts from conversation messages and raw text, which can include sensitive user data, but the documentation provides no privacy, consent, retention, or data-minimization guidance. In an agent setting, this increases the likelihood that developers will persist user conversations or secrets by default, creating avoidable privacy and compliance risk.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The documentation exposes single-item, bulk, and namespace-wide deletion capabilities without warning about irreversible loss, access control expectations, or confirmation patterns. In agentic workflows, destructive operations may be invoked automatically from prompts or faulty logic, making accidental or unauthorized data destruction more likely.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The export endpoint allows bulk extraction of stored memories in multiple formats but does not warn that exported content may include sensitive memory text, metadata, and derived facts. This can lead integrators to expose large volumes of user context through logs, downloads, or downstream systems without adequate controls.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to store user personal information and learned session details in a remote third-party memory system. In context, this is dangerous because the tool is designed for persistent cross-session retention, so overly broad collection can create long-lived privacy exposure and data-minimization failures.

Ssd 3

Medium
Confidence
91% confidence
Finding
The transcript-ingestion and session-summary instructions encourage uploading raw conversation content and derived summaries to a remote memory backend. This broad transfer of conversational data raises privacy and confidentiality risks, especially when conversations may contain sensitive, regulated, or incidental third-party information.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.