memory-system

Security checks across malware telemetry and agentic risk

Overview

This memory skill is purpose-aligned, but it needs Review because it can automatically move private memory files into persistent PostgreSQL storage and search them with weak user controls.

Install only if you want a local long-term memory system that reads from ~/.openclaw/workspace/memory and writes to local PostgreSQL. Before using it, review the scripts, use a dedicated least-privileged database user, avoid highly sensitive memories, and add explicit review/delete controls for archived data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (7)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: "-c", f"SELECT title, content FROM memory_structured {where};" ] result = subprocess.run(cmd, capture_output=True, text=True) return result.stdout def search_vector(query):
Confidence: 95% confidence
Finding: result = subprocess.run(cmd, capture_output=True, text=True)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill documentation exposes shell and file-read capabilities but does not declare permissions or boundaries for those operations. In a memory-management skill, undeclared capability to read local files and invoke shell commands increases the risk of overbroad data access and makes it harder for users or the platform to understand what sensitive resources may be touched.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill claims to provide long-term memory and semantic search, but the documented behavior also includes automatic archival of local files, filesystem scanning, database writes, and calls to an embedding service. That mismatch is dangerous because users may authorize a benign-seeming memory feature without realizing it can ingest broader local data and persist it externally or semi-persistently.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation states that local files are automatically retained and imported into PostgreSQL after 7 days, but this is not clearly warned in the skill description or framed as requiring consent. Automatic ingestion of local content into a database can capture sensitive user data unexpectedly and expand the blast radius from local files to searchable persistent storage.

Missing User Warnings

Medium

Confidence: 71% confidence
Finding: The script silently transfers archived memory contents from local markdown files into PostgreSQL, potentially changing the storage boundary for sensitive long-term memory data without explicit notice or consent. In a memory-management skill, this is more sensitive because the archived content may include user preferences, context, or other private information that operators may assume remains local.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script transmits the user's query text to a local embeddings API without any user-facing warning, consent flow, or help text indicating that input will be disclosed to another service. In a memory system, queries may contain sensitive personal context, so silent forwarding increases privacy and data-governance risk.

Session Persistence

Medium

Category: Rogue Agent
Content: ### memory_structured (结构化) ```sql CREATE TABLE memory_structured ( id SERIAL PRIMARY KEY, category VARCHAR(50), -- goals, decisions, status, preferences, reference title VARCHAR(200),
Confidence: 78% confidence
Finding: CREATE TABLE memory_structured ( id SERIAL PRIMARY KEY, category VARCHAR(50), -- goals, decisions, status, preferences, reference title VARCHAR(200), content TEXT, created_at TIME

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal