Nima Core

Security checks across malware telemetry and agentic risk

Overview

NIMA Core appears to be a real memory and affect skill, but it grants broad persistent access and contains under-disclosed install, network, and workspace-inspection behavior that should be reviewed before use.

Install only if you are comfortable giving this skill persistent access to OpenClaw conversations and allowing it to modify the OpenClaw extension environment. Review install.sh before running it, decide whether remote embedding or LLM calls are acceptable for transcript-derived text, keep precognitive cron/actions disabled unless you want workspace/GitHub/calendar/service/file context inspected, and do not load legacy pickle memory files from untrusted sources.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (103)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: pkg_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) install_script = os.path.join(pkg_dir, 'install.sh') if os.path.exists(install_script): subprocess.run(['bash', install_script], cwd=pkg_dir) else: print("NIMA Core v" + __version__) print("Run ./install.sh from the nima-core directory to set up hooks.")
Confidence: 87% confidence
Finding: subprocess.run(['bash', install_script], cwd=pkg_dir)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def _shell(cmd: str, timeout: int = 10) -> str: """Run a shell pipeline (only for trusted, static commands). Never pass user input.""" try: r = subprocess.run(["sh", "-c", cmd], capture_output=True, text=True, timeout=timeout) return r.stdout.strip()[:500] except (subprocess.TimeoutExpired, subprocess.CalledProcessError, OSError, FileNotFoundError) as e: logger.warning("Command failed: %s", e)
Confidence: 96% confidence
Finding: r = subprocess.run(["sh", "-c", cmd], capture_output=True, text=True, timeout=timeout)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # Try each method for method_name, cmd in capture_methods: try: result = subprocess.run( cmd, capture_output=True, text=True,
Confidence: 87% confidence
Finding: result = subprocess.run( cmd, capture_output=True, text=True, timeout=30, cwd=str(DATA_DIR) )

Tp4

High

Category: MCP Tool Poisoning
Confidence: 80% confidence
Finding: The documented purpose emphasizes memory and affect features, but the described behavior extends into installation, hook management, service restart, database administration, and other operational capabilities. That scope expansion increases the attack surface and can cause users to grant broader trust or permissions than they intended, especially because a memory skill handling transcripts already has access to sensitive data.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The install guide expands the skill from memory/emotional recall into 'precognitive actions' that inspect local environment state such as git status, open PRs, and model/provider configuration. That materially broadens the capability and data-access surface beyond the stated purpose, creating a risk that operators enable environment inspection and context injection they did not expect from a memory plugin.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The documented precognitive workflow explicitly includes preparation actions like git status, open PRs, memory recall, and model-tier resolution from configuration, which goes beyond a memory skill into host/repository inspection. In an agent environment, this can expose sensitive workspace metadata into cached or injected prompt context without clear need or consent.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The documentation gives conflicting statements about whether embeddings default to local or to external providers such as Voyage/OpenAI. For a memory system that processes session transcripts, this ambiguity is dangerous because users may believe their data stays local when it may instead be transmitted to third-party APIs.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The metadata claims network access is conditional, but other parts of the documentation state Voyage is the default embedder, which would make network use effectively on-by-default. That inconsistency undermines informed consent and may mislead users about whether sensitive memory content leaves the local machine.

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The installer performs privileged operational actions beyond simple package installation by restarting the OpenClaw gateway and later deploying extensions into the user's OpenClaw extensions directory. That increases the script's effective control over the host agent runtime and creates a broader trust boundary than the skill description suggests, which is risky because installation immediately alters execution behavior of another system component.

Description-Behavior Mismatch

Low

Confidence: 90% confidence
Finding: The installer clones a remote GitHub repository and installs dependencies from pip, which introduces network-sourced code execution during installation. Even if common for installers, this is a supply-chain risk and should be treated as security-relevant behavior, especially when the manifest does not clearly disclose that external code and packages will be fetched and executed.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: A skill advertised for persistent memory and affect processing includes an entry point that runs an installation shell script for hooks, which is a materially different capability from the declared purpose. This mismatch increases supply-chain and user-trust risk because invoking the package can trigger filesystem changes or persistence-related setup not expected from a cognition library.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The module combines normal runtime exports with installer/setup behavior that copies or installs external hooks into a user environment, which is outside the stated memory/affect feature set. In a skill ecosystem, hidden or weakly disclosed setup behavior is more dangerous because users may import or run the package trusting the manifest description, while the package is capable of persistence-like environment modification.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The module's stated purpose is precognitive memory preparation, but it performs broad reconnaissance over repositories, logs, docs, research files, spreadsheets, services, calendar, and other workspace artifacts. In an agent skill, this kind of overbroad collection is dangerous because it silently expands data access beyond user expectations and can surface sensitive operational, personal, or business context into cached prep data and injected prompts.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: This module invokes external tooling such as git, gh, curl, icalBuddy, shell, and Python subprocesses as part of autonomous preparation. In the context of a memory skill, that is unusually powerful and dangerous because it enables local reconnaissance and interaction with developer tooling, potentially exposing repository metadata, CI status, local services, and other sensitive host information without an explicit user action.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The category/action design includes personal, finance, sales, marketing, calendar, and communication context unrelated to the advertised core memory function. This broad access increases privacy risk because the module can automatically collect and summarize sensitive personal and business information into prep artifacts that may later be injected into model context.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The code comment says shell execution is limited to trusted static commands, but the implementation does not enforce that policy and instead provides a reusable arbitrary-command wrapper. That mismatch is dangerous because reviewers may assume safety from the docstring while future code can call _shell with tainted input, leading to unnoticed command-execution vulnerabilities.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The module-level security claims say loading is safe from untrusted sources and avoids arbitrary code execution, but the implementation still falls back to legacy pickle deserialization in load() for non-JSON files. That mismatch is dangerous because users may trust attacker-supplied files based on the documentation, leading to remote code execution when a crafted pickle is loaded.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The inline comments explicitly assert there is 'No arbitrary code execution risk' and that the format is 'safe to load from untrusted sources', yet the file contains a pickle-loading path. This can cause developers or downstream agents to treat all loads as safe, increasing the chance that untrusted pickle content is deserialized and executes arbitrary code.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The documentation emphasizes secure JSON/HMAC behavior and migration away from pickle, but the code still supports pickle deserialization through load(). While the issue is fundamentally the same unsafe deserialization path, this specific finding is about misleading secure-by-default messaging that can drive unsafe operational assumptions.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The code sends memory contents to an LLM during duplicate verification, and those memories may contain sensitive user data, conversation history, or secrets. In a memory-management component, exfiltrating raw memory text to an external service is a real security and privacy risk, especially because this behavior is automatic and not clearly constrained to local-only providers.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The sync function performs an unrelated persistent side effect by importing memory_git and automatically committing changes after database synchronization. In an agent skill, hidden source-control writes can create an audit trail the user did not request, trigger hooks or downstream automation, and expand the module's authority beyond its documented purpose.

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The docstring presents the module as syncing dream engine outputs, but the implementation also ingests suppression/pruner/lucid state and performs git commits. This capability mismatch is dangerous because security reviewers and operators may grant the module broader trust than intended, causing unexpected persistence and repository modifications during routine sync operations.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The module advertises configurable tracking of specific memory files, but commit_memory unconditionally runs git add --all in the memory repo. That can silently stage and commit unrelated or sensitive files placed in that repository, violating least surprise and potentially persisting secrets or private agent data.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The files parameter is accepted and passed directly to git add, allowing arbitrary paths to be staged beyond the intended memory scope. Because git can stage paths outside the repository root when explicitly named, a caller may cause unrelated workspace files or potentially sensitive local files to be committed into the memory repository.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The module header asserts a file-based design with 'no DB writes', but live execution later performs ghost-mark synchronization back into LadybugDB. This documentation/behavior mismatch is dangerous because operators or downstream agents may rely on the stated safety boundary and run the tool under false assumptions, leading to unintended persistent modification of memory state.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal