ClawHub

AOMS - Always-On Memory Service

Security checks across malware telemetry and agentic risk

Overview

AOMS is a coherent local memory service, but it needs Review because it stores long-term agent memory and encourages feeding recalled content into future prompts without enough safety controls.

Install only if you intentionally want persistent local agent memory. Keep the service bound to localhost, verify the cortex-mem package or container before running it as a daemon, avoid storing secrets or regulated data, use dry-run and review before importing workspace files, and review recalled memory before placing it in prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documented `GET /memory/browse/{path}` endpoint exposes arbitrary path-based browsing and file-content retrieval, which is materially different from a memory-only service. In an agent context, this expands the skill from persistent memory into local filesystem access, creating a path traversal and sensitive file disclosure risk if an agent or user can supply uncontrolled paths.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The Cortex ingestion and document management endpoints add broad document-processing and retrieval capabilities beyond the stated memory-service scope. In practice this increases the amount and type of data the agent can ingest, summarize, regenerate, and surface, which can expose sensitive documents, create unintended retention, and weaken the principle of least privilege for a skill that appears to be only a memory store.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly promotes persistent storage of experiences, facts, failures, and task history, but does not give clear guidance to avoid secrets, personal data, credentials, tokens, or regulated information. In a memory system intended for long-term cross-session retention, this omission materially increases the chance that sensitive context will be captured and retained beyond the original task.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill recommends taking recalled memory and injecting it directly into prompts/system context without warning that stored memory may contain adversarial or stale prompt content. This creates a prompt-injection and data-leak risk, because any previously stored text can influence future agent behavior with elevated trust if inserted as context automatically.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The API reference documents numerous write, ingest, mutate, and merge operations across memory and document stores without warning about privacy, retention, or destructive side effects. In an always-on memory skill, agents may send sensitive prompts, documents, or user data to these endpoints and persist or transform them unintentionally, increasing the risk of data leakage, over-collection, and irreversible state changes.

Session Persistence

Medium
Category
Rogue Agent
Content
### 2. Session boot script

Add a boot script to your workspace (see `references/openclaw-setup.md` for a full example):

```python
# boot_aoms.py — call at session start
Confidence
88% confidence
Finding
Add a boot script

Session Persistence

Medium
Category
Rogue Agent
Content
## API Quick Reference

### Write Memory

```bash
curl -X POST http://localhost:9100/memory/episodic \
Confidence
86% confidence
Finding
Write Memory ```bash curl -X POST http://localhost:9100/memory/episodic \ -H "Content-Type: application/json" \ -d '{ "type": "experience", "payload": { "title": "Fixed auth bug",

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal