Openclaw Memory

Security checks across malware telemetry and agentic risk

Overview

This memory skill is mostly coherent, but it needs review because it can send full conversation text and possibly the wrong environment API key to external LLM providers.

Install only if you are comfortable with selected conversation content being sent to third-party LLM APIs. Prefer passing an explicit apiKey matching the chosen provider, avoid relying on environment-variable fallback, and do not use the Observer on chats or memory files that may contain secrets, regulated data, or private user information without separate redaction controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill documentation declares no permissions, yet the described Observer component explicitly requires API keys and calls remote LLM services, which implies access to environment variables and network egress. This creates a transparency and consent problem: an agent or reviewer may treat the skill as lower risk than it is, even though it can transmit conversation data externally.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 74% confidence
Finding: A description-behavior mismatch is a real security concern here because the skill claims to be a memory system, while static analysis reports additional functionality for scanning hidden Unicode/prompt-injection content and decoding Unicode tag payloads. Even if those utilities are defensive, undocumented hidden-analysis features expand the attack surface and can conceal behavior that reviewers and users did not consent to, especially in a skill that processes untrusted conversation and workspace text.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The observer sends full sanitized conversation text to third-party LLM APIs, which can expose sensitive user content, secrets, or personal data to external processors. The skill metadata explicitly says remote APIs are used, but this file contains no consent gate, policy enforcement, data minimization beyond basic character stripping, or mechanism to prevent accidental transmission of confidential content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal