Back to skill

Security audit

OpenClaw Memory Orchestrator

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent as a local memory tool, but it needs Review because optional sync commands can export internal memory summaries and metadata to remote backends, including plain HTTP endpoints, with limited disclosure.

Install only if you are comfortable with a tool that builds persistent local memory indexes under your OpenClaw workspace. Treat remote and mem0 sync as sensitive data export: use HTTPS-only trusted endpoints, review what records are marked internal, avoid syncing confidential project details, and pin or review the chromadb dependency before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The installer sets dependency_result to success without actually calling install_python_deps(), and runtime_check is marked ok=True whenever files were copied instead of executing verify_runtime(). This can falsely report the environment as ready, causing downstream automation to trust and run an unverified installation state.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script creates directories under a default user workspace and copies executable scripts there automatically, with no prompt, dry-run mode, or explicit consent mechanism. In an agent skill context, silently modifying a user's filesystem increases the risk of unexpected persistence and execution of bundled code.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The remote sync feature uploads memory summaries and metadata to a remote ChromaDB instance, and the code permits plain HTTP endpoints as well as HTTPS. Because records marked 'internal' are eligible for remote sync, a misconfigured or malicious remote URL can exfiltrate sensitive operational memory and metadata over an unencrypted or untrusted channel.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
mem0_sync forwards memory summaries and metadata to an external 'openclaw mem0 store' process without verifying what backend that command ultimately uses or presenting a trust boundary to the operator. Even though sensitivity filtering excludes 'private' and 'secret' records, 'internal' structured memory may still contain sensitive project details and is exported to another component without strong safeguards.

Unpinned Dependencies

Low
Category
Supply Chain
Content
chromadb
Confidence
95% confidence
Finding
chromadb

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.