Obsidian Memory System

Security checks across malware telemetry and agentic risk

Overview

This is a real memory-vault setup, but it also recommends automatic long-term logging and an unsandboxed Discord-connected agent with no command confirmations.

Review before installing. Use the vault setup only if you want persistent local memory, and avoid the suggested Discord/OpenClaw full-access config unless the machine is isolated and trusted. Keep command confirmations on, use sandboxing, do not auto-log secrets or private messages, and test any cron sync with backups and a dry run first.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The description contains broad trigger phrases such as 'remember this', 'update memory', and 'set up discord' that are common conversational language and may cause the skill to activate unintentionally. In a memory-writing skill, accidental invocation is risky because it can lead to persistence of sensitive or low-quality data and potentially initiate broader setup actions the user did not explicitly intend.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs persistent logging of user corrections, errors, learnings, and feature requests into long-lived vault files without any explicit user-facing consent, retention notice, or privacy boundary. Because this skill is specifically designed for cross-session memory, the absence of a warning materially increases the chance that sensitive personal, project, or behavioral information will be stored indefinitely and later resurfaced.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The guide explicitly recommends `tools.profile: "full"`, `exec.security: "full"`, and `exec.ask: "off"`, which together create an agent that can execute host commands without sandboxing or user confirmation. In a Discord-facing deployment, this sharply increases the blast radius of prompt injection, misrouting, compromised accounts, or accidental agent actions because chat input can directly trigger powerful local execution.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The sync script uses `rsync --delete` and `rm -rf` in an automated cron context, which can permanently remove files if paths are wrong, variables are empty, or the source state is corrupted. Because the document presents this as a workaround without an explicit data-loss warning, users may deploy destructive synchronization without backups, dry-run validation, or path safety checks.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill defines very broad automatic triggers such as common conversational corrections and feature-request phrasing, which can cause logging behavior to activate without a clear user request to persist information. In a persistent memory skill, this creates a real risk of over-collection and unintended writes to long-term storage from ordinary dialogue.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The file instructs the agent to append directly to local vault files but does not require any user-facing notice or confirmation that persistent user data will be modified. This is dangerous because it can silently alter a user's knowledge base, create inaccurate records, or store sensitive content without informed consent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation recommends a configuration with full tool access, unsandboxed command execution, and confirmations disabled, but it does not prominently warn that this allows the agent to execute arbitrary system commands without user approval. In the context of a persistent-memory and Discord-integrated agent, this materially increases the chance that prompt injection, misrouting, or agent error leads to destructive local actions.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The dreaming feature is described as automatically promoting recalled information into MEMORY.md, but the documentation does not clearly warn that user data may be persisted, transformed, and written into long-term memory without an explicit approval step. For a system handling journals, project notes, and Discord conversations, this can cause unintended retention of sensitive data, private messages, or inaccurate summaries.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The automatic logging guidance explicitly captures user-provided corrections, requests, errors, command attempts, parameters, and environment details into persistent files without any minimization or sensitivity checks. That can retain secrets, personal data, or operational details far beyond the original conversation, increasing privacy and security exposure if the vault is later searched, synced, or shared.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal