Back to skill

Security audit

Claw Memory Guardian

Security checks across malware telemetry and agentic risk

Overview

This memory skill is purpose-aligned but needs Review because it creates durable local memory, Git history, and an unmanaged auto-save script without enough privacy and lifecycle controls.

Install only if you are comfortable with long-lived memory files, local backups, and Git commits in your OpenClaw workspace. Do not store secrets, regulated data, or customer financial/contract details unless you have authorization and a retention plan. Avoid running memory/auto_save.sh in the background unless you know how to stop it, and review Git status before sharing or pushing the workspace repository.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (19)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The examples explicitly encourage storing customer inquiries, requirements, budget, contract status, and payment details in a memory system without any warning about consent, minimization, retention, or access controls. This can normalize unsafe handling of sensitive business and potentially personal data, increasing the risk of privacy violations, unauthorized disclosure, and over-collection by users following the documentation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation promotes team-shared memory and optional cloud backup while omitting warnings about exposure, permission boundaries, secret leakage, and data residency/compliance concerns. In a memory tool, this context makes the issue more dangerous because users are encouraged to centralize operational knowledge, which may include sensitive internal or customer information that could be broadly accessible or synced externally.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises automatic saving, backup, and git versioning of user work without clearly warning that content will be persistently stored and copied into history. This creates a real privacy and data-handling risk because users may unintentionally retain secrets, personal data, or regulated information in local files and git history that is harder to remove later.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Documenting team sharing and customer-interaction recording without a privacy warning normalizes collection and synchronization of potentially sensitive personal, business, or customer data. In this context, the skill is specifically positioned for team and enterprise use, which increases the likelihood of regulated or confidential information being captured and shared inappropriately.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documented strategy of auto-save, auto-backup, and automatic git commits lacks warning that the tool may make unattended file changes and create durable history entries. This is dangerous because sensitive content can be committed automatically, replicated into backups, and become difficult to fully delete once written into version history.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly describes automatic reads, writes, backups, and git commits of memory artifacts, but does not present a clear warning about persistent data modification, retention, or repository side effects. This can cause users to unknowingly store sensitive conversation or project data on disk and in version history, increasing confidentiality and recovery risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The collaboration features describe sharing memory fragments and syncing team memory without any privacy notice, trust boundary explanation, or consent model. Because memory content may include sensitive conversations, project details, or credentials, users could transmit data to other people or external systems without understanding the exposure.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The init flow performs persistent filesystem modifications and initializes a Git repository in the workspace without explicit confirmation, which can unexpectedly alter user state and silently capture sensitive memory files into version control. In a skill context, automatically creating repos and committing user data is dangerous because it changes trust boundaries and may later enable accidental disclosure through normal Git workflows.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The code writes an executable shell script into the workspace and marks it runnable without an explicit upfront warning or consent. Creating executable artifacts increases risk because users or other tooling may later run the script, and the script embeds resolved workspace paths and performs ongoing file modifications in an infinite loop.

Ssd 3

Medium
Confidence
88% confidence
Finding
The README promotes comprehensive logging of customer interactions and audit records, which inherently increases data-retention and exposure risk. In a memory/logging skill, centralizing natural-language operational records can capture credentials, personal data, internal decisions, or regulated business information that may later be exposed through search, sharing, or backup workflows.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill promotes persistent collection of working memory and collaborative sharing in plain language, creating a broad data-retention model for user and project content. Without minimization or consent boundaries, ordinary use can lead to overcollection and later disclosure of sensitive information.

Ssd 3

Medium
Confidence
95% confidence
Finding
Automatic reading, updating, and saving of memory artifacts throughout the session lifecycle establishes default persistent retention of conversation state. This is dangerous because users may assume ephemeral interactions while the skill continuously records data to disk, backups, and potentially version control.

Ssd 3

High
Confidence
97% confidence
Finding
Sharing memory fragments and syncing team memory directly increases the risk of exposing stored user, customer, or project data beyond the original context. In this skill, the danger is amplified because the same system also encourages broad automatic memory capture, so shared content may include more sensitive data than users expect.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"url": "https://github.com/openclaw-skills/claw-memory-guardian/issues"
  },
  "dependencies": {
    "fs-extra": "^11.2.0",
    "chalk": "^5.3.0",
    "inquirer": "^9.2.12",
    "simple-git": "^3.19.1",
Confidence
77% confidence
Finding
"fs-extra": "^11.2.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "fs-extra": "^11.2.0",
    "chalk": "^5.3.0",
    "inquirer": "^9.2.12",
    "simple-git": "^3.19.1",
    "date-fns": "^3.3.1"
Confidence
77% confidence
Finding
"chalk": "^5.3.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "fs-extra": "^11.2.0",
    "chalk": "^5.3.0",
    "inquirer": "^9.2.12",
    "simple-git": "^3.19.1",
    "date-fns": "^3.3.1"
  },
Confidence
77% confidence
Finding
"inquirer": "^9.2.12"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"fs-extra": "^11.2.0",
    "chalk": "^5.3.0",
    "inquirer": "^9.2.12",
    "simple-git": "^3.19.1",
    "date-fns": "^3.3.1"
  },
  "openclaw": {
Confidence
90% confidence
Finding
"simple-git": "^3.19.1"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"chalk": "^5.3.0",
    "inquirer": "^9.2.12",
    "simple-git": "^3.19.1",
    "date-fns": "^3.3.1"
  },
  "openclaw": {
    "skillType": "utility",
Confidence
77% confidence
Finding
"date-fns": "^3.3.1"

Known Vulnerable Dependency: simple-git==3.19.1 — 3 advisory(ies): CVE-2026-6951 (simple-git is vulnerable to Remote Code Execution); CVE-2026-28291 (simple-git Affected by Command Execution via Option-Parsing Bypass); CVE-2026-28292 (simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.)

Critical
Category
Supply Chain
Confidence
99% confidence
Finding
simple-git==3.19.1

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.