Back to skill
Skillv1.0.0
VirusTotal security
Memory ChromaDB · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:27 AM
- Hash
- a21afb48e2b0b592a399e7789e3d6e6ff214a08de24df77aff2c2e029be3e764
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: memory-chromadb Version: 1.0.0 The skill bundle is designed for ChromaDB memory integration, which is a benign purpose. However, it presents two key vulnerabilities: 1) Potential LLM prompt injection via the `before_agent_start` hook in `index.ts`, where retrieved memories (which could be user-controlled or poisoned) are directly prepended to the agent's context. This could allow an attacker to influence the agent's behavior if the retrieved content contains malicious instructions. 2) A lesser risk of ChromaDB query injection if the `where_document` filter in ChromaDB's API is vulnerable to crafted keywords extracted from user queries. These are vulnerabilities that allow attacks, rather than proof of intentional malicious behavior by the skill itself.
- External report
- View on VirusTotal