Overkill Memory System

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real memory tool, but it needs review because it can persist and reuse sensitive conversation, diary, habit, and error data across sessions.

Install only if you deliberately want a broad persistent memory system. Before enabling cron, ACC transcript analysis, cloud features, or ACC_MODELS, review where data is stored and which model commands receive conversation text; avoid storing secrets, restrict access to ~/.openclaw memory files, and set your own purge or retention process.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain

Findings (44)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: # Try running as MCP server with JSON-RPC cmd = [str(VESTIGE_BINARY)] + args result = subprocess.run( cmd, capture_output=True, text=True,
Confidence: 82% confidence
Finding: result = subprocess.run( cmd, capture_output=True, text=True, timeout=30 )

Tainted flow: 'ACC_STATE_FILE' from os.environ.get (line 15, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: def _save_state(state: dict): """Save ACC state file.""" ACC_STATE_FILE.parent.mkdir(parents=True, exist_ok=True) with open(ACC_STATE_FILE, 'w') as f: json.dump(state, f, indent=2)
Confidence: 94% confidence
Finding: with open(ACC_STATE_FILE, 'w') as f:

Tainted flow: 'memories_file' from os.environ.get (line 315, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: memories.append(memory) # Save with open(memories_file, 'w') as f: json.dump(memories, f, indent=2) return {
Confidence: 90% confidence
Finding: with open(memories_file, 'w') as f:

Tainted flow: 'memories_file' from os.environ.get (line 315, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: if not updated: return {"error": f"Memory {memory_id} not found", "mode": "fallback"} with open(memories_file, 'w') as f: json.dump(memories, f, indent=2) return {
Confidence: 90% confidence
Finding: with open(memories_file, 'w') as f:

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The comment explicitly says the generated markdown is intended "for prompt injection," which signals that untrusted state data is being transformed into a prompt-consumable document for an LLM or agent. Because fields like activePatterns[*].context and keys are copied from JSON into markdown with minimal sanitization, an attacker who can influence acc-state.json could inject instructions or deceptive content into downstream model context.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The module claims to be a diary tool but also accesses and modifies a separate strategy-notes file under the user's home directory. This expands the skill's authority beyond its apparent purpose, creating an unnecessary capability to read and alter potentially sensitive notes that a caller may not expect this skill to touch.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documented diary search feature reads and searches local diary files containing personal content without any mention of consent, visibility, scoping, or warning to the user. In an agent skill context, this can normalize access to sensitive local files and lead to privacy violations, accidental disclosure in responses, or over-collection of intimate data if implemented as described.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The architecture explicitly integrates cloud backup, diary search/add, and internal state tracking without documenting consent, retention, access controls, or privacy boundaries. In a memory system, these features can capture highly sensitive personal and behavioral data, so omitting user warnings and safeguards increases the risk of inadvertent collection, external exposure, or unsafe syncing of private information.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs creation of persistent directories under the user's home directory for agent memory, but provides no user notice, consent flow, retention policy, or guidance on what sensitive data may be stored there. In a multi-agent context, this increases the risk of quietly persisting personal or operational data across sessions, which can expose users to privacy and data-handling issues if the contents are later accessed, synced, or misused.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill describes automatic capture of failures and user feedback into persistent files without any warning, consent model, minimization, or privacy controls. Errors, prompts, and corrections often contain secrets, internal paths, credentials, personal data, or proprietary task details, so silently persisting them increases the chance of later disclosure or policy violations.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill advertises tracking and syncing of platform posts near the feature list without an immediate privacy warning or consent boundary. Because this system is explicitly designed for persistent memory and cross-session retention, users may not realize that potentially sensitive conversation or platform content could be collected and stored long-term.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The cloud backup and auto-fact extraction sections describe third-party integrations in a way that could normalize sending conversation-derived memory content to external services without a strong warning at the point of use. Since the skill centers on agent memory, these features may transfer sensitive user data, preferences, and interaction history off-device, increasing confidentiality and compliance risk.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README explicitly describes extracting user/assistant exchanges from transcripts and logging error patterns, but provides no warning about privacy, retention, consent, or handling of potentially sensitive conversational data. In an agent skill context, transcript logging can easily capture secrets, personal data, or proprietary information, so omission of data-handling guidance creates a real privacy and compliance risk.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill is framed as a generally applicable monitoring component and describes broad session startup integration and recurring analysis, but it does not clearly bound when it should activate or what data it may inspect. In practice, ambiguous activation criteria increase the chance of over-collection and unintended analysis of unrelated conversations, especially when paired with persistent memory and cron execution.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly says it tracks mistakes across sessions and builds persistent awareness, but it does not present a prominent user warning that conversation transcripts and derived error data will be analyzed and stored. That creates a meaningful transparency and consent problem because users may not realize their interactions are being retained for later processing.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The installation flow recommends `--with-cron` and later documents automatic analysis three times daily, but the description does not foreground this as scheduled background processing with ongoing access to stored transcripts. Hidden or easily missed background execution materially increases risk because it continues collecting and analyzing data after initial setup.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script sends raw conversation content, including assistant and user text, to external model CLI commands without consent checks, redaction, or trust boundaries. In this skill context, the data likely contains user interactions and possibly sensitive workspace content, so forwarding it to externally configured commands can leak private information to third parties or unintended local wrappers.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script forwards conversation content (`assistant_text` and `user_text`) to externally configured model CLI commands via `ACC_MODELS` without any consent, disclosure, or trust boundary enforcement. Even though this appears to be intended for error classification, it can expose potentially sensitive conversation data to third-party tools or remote model providers, and the environment-variable configurability makes the destination less predictable.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The skill persistently stores user-provided error descriptions, context, and mitigations to disk in a predictable local path without any notice, consent, retention control, or minimization. This can expose sensitive operational details, prompts, mistakes, or private context to other local users, backups, or later compromise; in this skill's context, the stored fields are expressly free-form and therefore likely to contain secrets or sensitive workflow data.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The module persists user behavior data to a file in the user's home directory without any consent, disclosure, retention controls, or permission hardening. Even though the data is not obviously secret, tracked actions and queries can reveal sensitive user interests or workflows, and the skill context makes this more concerning because the feature is explicitly learning from repeated user actions over time.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The diary feature persists raw user content plus inferred emotional and value metadata to disk in a predictable location under the user's home directory without explicit consent or warning. In a memory-oriented skill, that creates a real privacy risk because highly sensitive personal information can be retained and later exposed through search, backups, local compromise, or multi-user host access.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The cron inbox write path stores user-provided content and derived neuroscience metadata to persistent files without clearly notifying the user. Because this tool is designed to aggregate and later resurface memory content, silent persistence increases the chance that sensitive operational or personal data is retained longer than expected and disclosed later.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The WAL function appends arbitrary user content and inferred metadata to a persistent session file with no upfront disclosure that the data will survive the current session. Since WAL content is later searchable and may include sensitive prompts, personal notes, or secrets, this creates a meaningful confidentiality and privacy issue.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code infers mood, energy, curiosity, and fatigue from free-form conversation text and immediately persists that derived profile to a file in the user's home directory. This creates a privacy risk because sensitive behavioral inferences are stored without explicit consent, disclosure, retention limits, or access controls, increasing exposure to local compromise, forensic recovery, or unintended reuse by other components.

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The skill is explicitly designed to infer internal attributes such as mood, energy, and fatigue from user conversation using keyword matching, but offers no opt-in, notice, or ability to disable profiling. Even if the inference is simplistic, it still performs behavioral profiling from conversational data, which is privacy-sensitive and may surprise users or violate expected data-minimization practices.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal