ClawHub

MemPalace Memory System for OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local memory/search skill, but it needs Review because it can persist broad conversation and project data, modify the Python environment, auto-save sessions, and make Wikipedia lookups despite local-only messaging.

Install only if you intentionally want durable searchable memory. Use an isolated virtual environment, verify where palace_data and any ~/.mempalace files are written, avoid mining directories with secrets or private files, disable or avoid hooks/cron if you do not want automatic saving, and block or remove Wikipedia lookups if you need fully offline behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (52)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The documentation claims all data stays local, but elsewhere discloses outbound Wikipedia API requests. Even if the author believes no user data is sent, this is still a misleading data-handling statement and creates risk of metadata or extracted entity leakage during processing.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest presents the skill as local archive/search tooling, but the implementation performs runtime package installation from PyPI and modifies the Python environment. This materially changes the trust model by introducing supply-chain risk and persistent host modification not obvious from the description.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Automatic `pip install` at runtime is a powerful capability for a memory skill because it executes package-management operations on the host and pulls code from external registries. This expands the attack surface to dependency confusion, compromised packages, and unintended modification of the user's Python environment.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Wikipedia API access is not necessary for the stated core purpose of local conversation archiving and search. Any network egress from a supposedly local memory skill increases privacy risk and can expose derived information about user conversations or projects through entity queries.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The README documents capabilities that significantly exceed the stated skill purpose, including project file ingestion, structured knowledge graph storage, onboarding collection, and MCP-exposed diary functions. This creates a scope-transparency problem: users may invoke a memory archiving skill while unknowingly enabling broader collection and exposure of local data, which increases the risk of overcollection and misuse by connected AI tools.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
An agent diary is a distinct data collection and retention feature that is not necessary for simple conversation save/search/backup behavior. In a memory tool context, such a diary can accumulate sensitive prompts, system outputs, metadata, or behavioral traces, expanding surveillance and retention beyond user expectations.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The CLI exposes capabilities well beyond the declared skill purpose of archiving/searching AI conversations, including mining arbitrary project files, code, docs, repair, and compression operations. In an agent-skill context, this scope expansion increases the chance an agent will access or persist local data the user did not intend to share, creating a real over-collection and unintended data access risk.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The init flow scans arbitrary files to detect people and projects, then writes extracted entity data to entities.json. For a memory skill intended to archive conversations, automatic extraction of named entities from arbitrary local content broadens collection of personal or sensitive information and can create privacy leakage or unexpected persistence of metadata.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The default mining mode is 'projects', not 'convos', so a user or invoking agent can easily ingest general project files even though the skill is presented as conversation memory tooling. In this skill context, that default materially increases the risk of unintended codebase, secrets, documentation, or proprietary data ingestion into local long-term storage.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file introduces outbound Wikipedia requests for unknown terms, which conflicts with the skill's stated local-memory purpose and can disclose user-provided names or references to a third party. In a memory/archive skill, seemingly arbitrary tokens may contain personal contacts, projects, or sensitive contextual identifiers, so external enrichment materially expands the data exposure surface.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The research() path operationalizes a network-based 'research' capability for unknown words from user context and persists the results. This is dangerous because a memory tool handling conversational data may forward private names, nicknames, or internal project names to Wikipedia without strong necessity or user awareness.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The server exposes behavior beyond the stated manifest purpose: the embedded protocol text introduces knowledge-graph querying/mutation and diary recording as expected agent actions. This expands the skill from simple conversation archive/search into broader personal-data persistence and relationship tracking, which can mislead users and host policy layers about what data is collected and how it is used.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The registered MCP tools include graph traversal, tunnel discovery, knowledge-graph writes, and diary read/write functions that materially exceed the advertised archive/search/backup role. Hidden or under-disclosed capabilities are dangerous because users and orchestrators may grant the skill access under a narrower trust assumption than the code actually requires.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The protocol text tells agents to write a diary after each session and to persist changing facts, which encourages automatic retention of user/session information beyond the manifest's stated archiving/search purpose. In practice this can normalize silent collection of sensitive personal observations and long-term profiling without a clear user-triggered action.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The implementation scans an entire project tree and ingests many readable source and data files, which exceeds the skill description of archiving AI conversation memories. In an agent context, this can silently copy secrets, proprietary code, credentials in configs, and other unrelated local files into persistent semantic storage, creating a data-exposure and overcollection risk.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The onboarding flow optionally scans a user-specified local directory and processes files to extract people names, which extends data access beyond the skill's stated archive/search/backup behavior. Even though the scan is user-confirmed, it can read arbitrary local content and infer sensitive relationship data without a strong, explicit privacy warning or scope restriction.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes permanent archival of AI conversations as a core feature but does not clearly warn users about retention scope, sensitive-content capture, or consent implications. In a memory skill, this is risky because users may store credentials, personal data, or proprietary information in long-term local archives without understanding the privacy consequences.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README presents unattended daily archiving at 23:00 as a convenience feature without prominently disclosing that user conversations will be automatically stored on an ongoing basis. This increases the chance of silent accumulation of sensitive or regulated data, especially because the feature is framed as requiring no manual action.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Broad trigger language such as saving, searching, or backing up memories could match ordinary conversation and cause the skill to activate in contexts the user did not intend. For a skill that archives content permanently and may auto-install dependencies, accidental invocation materially increases privacy and integrity risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README states that verbatim user content is stored and that an agent diary exists, but it provides no warning about privacy, retention, access paths, or downstream exposure through the MCP server. Because this skill handles conversation memories and local long-term storage, omission of data handling disclosures materially increases the chance that users expose sensitive personal or proprietary information without informed consent.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The CLI encourages mining conversation exports but provides no explicit warning that chat logs may contain sensitive personal, confidential, or regulated information that will be stored in searchable long-term memory. In an agent skill focused on memory retention, lack of user-facing sensitivity warnings can lead to unsafe handling and persistence of private data.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The init command writes a new entities.json into the target project directory without making that side effect explicit in the command help. Unexpected modification of user project directories is a legitimate safety issue because it can alter repositories, expose extracted metadata to other tools, or cause accidental check-in of sensitive entity data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code writes raw conversation chunks directly into a persistent local Chroma collection, which can include sensitive prompts, credentials, personal data, internal code, or proprietary discussions. In the context of a memory/archive skill, this is especially risky because the behavior is intentional and broad, yet this file shows no consent prompt, sensitivity filtering, redaction, encryption, or retention controls before persistence.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code auto-generates and writes a 'Layer 1' summary file containing distilled conversation memories, quotes, sensitivity markers, and relationship/context data directly to disk when an output path is provided by the CLI. In a memory-archival skill, this creates a real confidentiality risk because highly sensitive personal content can be persisted in a predictable local file without consent prompts, encryption, permission hardening, or disclosure to the user.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code recursively scans a user-supplied directory and collects readable files for analysis, which can expose sensitive local content if users are not clearly informed about what will be read. In a memory/archive skill, users may point it at broad directories containing personal notes, credentials, or unrelated documents, so silent or unclear local file access is a real privacy/security risk even though it appears intended for functionality rather than abuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal