ClawHub
Back to skill

Security audit

MemoryAI

Security checks across malware telemetry and agentic risk

Overview

MemoryAI is a real cloud memory skill, but it asks for recurring background access to local conversation transcripts and uploads excerpts while understating that behavior.

Install only if you intentionally want a cloud service to retain long-term memory and process conversation excerpts from local OpenClaw sessions. Before enabling cron or every-message tracking, confirm the endpoint, retention and deletion policy, redaction behavior, and whether background transcript syncing can be disabled or limited.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Tainted flow: 'state_path' from os.environ.get (line 247, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
try:
            state_path.parent.mkdir(parents=True, exist_ok=True)
            state["byte_offset"] = new_offset
            with open(state_path, "w", encoding="utf-8") as f:
                _json.dump(state, f)
        except Exception:
            pass
Confidence
86% confidence
Finding
with open(state_path, "w", encoding="utf-8") as f:

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The privacy section claims there is no automatic transmission, yet the setup instructions explicitly create a cron job that uploads context tokens and transcript messages every 5 minutes. This is a direct contradiction that can mislead users into enabling continuous background exfiltration of conversational data they did not expect to leave the system automatically.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as long-term memory, but the sync routine continuously inspects local session state and orchestrates rotation/compaction workflows. That broader surveillance and control capability materially exceeds a simple memory feature and increases the chance that operators enable it without understanding the scope of local data access and remote transmission.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The profile command exposes inferred persona, mood, goals, entities, and procedures, which goes beyond basic memory retention into user profiling. In the context of an agent memory skill, that mismatch is dangerous because highly sensitive inferred attributes may be collected or surfaced without informed consent.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The sync routine reads OpenClaw session metadata and transcript files from local storage, then packages message content for server submission. That is a significant local data access capability not clearly justified by the stated purpose and can expose sensitive conversations, credentials, or proprietary content from the agent environment.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Cognitive profiling is not necessary to provide long-term memory storage and recall. Because it infers personal attributes, goals, and procedures, the unjustified scope expansion increases privacy risk and creates secondary-use concerns beyond the advertised function.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module docstring claims 'All logic on server,' but the client performs substantial local processing, including transcript parsing, token accounting, state tracking, and sync orchestration. Misleading documentation can cause users and reviewers to underestimate what local data is accessed and what behavior executes on the host.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The guidance recommends triggering the skill at session start and on every user message via rolling tracking, which effectively normalizes near-constant collection and processing of conversation content. In a memory skill handling sensitive user context, such broad invocation materially increases the chance of over-collection, privacy violations, and transmission of unrelated sensitive data.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill does not prominently warn that enabling the documented cron setup results in periodic uploads of transcript and context data to a remote server. Because the feature is framed as routine setup and hidden behind vague 'How it works' language, users may enable continuous background data transfer without meaningful awareness or consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The sync routine reads transcript messages and sends them to the remote endpoint without any user-facing warning or consent flow. Because transcripts may contain secrets, personal data, or confidential work product, silent background transmission is particularly dangerous in an agent environment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Core commands send stored memories, queries, and profile-related data to a configurable remote endpoint, but the CLI provides little indication that these actions are network operations. In a privacy-sensitive memory tool, lack of transmission disclosure increases the risk of users unintentionally exporting sensitive content.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill promotes persistent retention of user information across sessions, including storing decisions, preferences, identity, goals, and syncing rolling transcript data to a remote server. In context, this is especially dangerous because the product explicitly encourages 'forever' retention and broad collection, increasing privacy harm, breach impact, and the chance of storing sensitive data without necessity.

Ssd 3

Medium
Confidence
95% confidence
Finding
The track command explicitly instructs callers to submit every user and assistant message, creating a built-in logging pipeline for conversational content. In a long-term memory context, this normalization of blanket collection is risky because it encourages comprehensive retention of potentially sensitive dialogue.

Ssd 3

Medium
Confidence
97% confidence
Finding
The unified sync routine semantically implements ongoing harvesting of transcript contents and periodic server submission via cron. That creates persistent background collection behavior, which materially increases privacy and data-exposure risk compared with on-demand memory operations.

Ssd 3

Medium
Confidence
94% confidence
Finding
The profile command is framed as determining 'who is this user' and returns inferred personal attributes, making the privacy-sensitive nature of the feature clear. Exposing such inferences in a memory utility is dangerous because users may not expect personality or mood analysis from a storage tool.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.