Security audit

Mem Optimizer

Security checks across malware telemetry and agentic risk

Overview

This memory optimizer is review-worthy because it can run on a schedule, inspect other agents and host status, and rewrite memory files without clear backup or confirmation safeguards.

Install only if you intentionally want a global memory optimizer with multi-agent visibility. Keep scheduled runs and external reporting disabled until reviewed, run dry-run first, back up memory files before non-dry-run compression, and avoid using it in shared or sensitive agent environments without clear authorization boundaries.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (15)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Adding Feishu delivery introduces an external data egress channel that is not necessary for core memory compression. Once reports and log links are sent off-platform, memory contents, operational metadata, and agent activity may be exposed beyond the local trust boundary, especially if delivery is automated.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Server, network, multi-agent, and 24-hour task monitoring are unrelated to simple memory optimization and materially broaden the skill's access to system and workflow state. In context, this makes the skill more dangerous because it can aggregate sensitive infrastructure and activity information under a benign-sounding feature set.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The documentation claims safe defaults such as dry-run and user confirmation, yet also describes a scheduled daily action that performs full optimization automatically. This contradiction is dangerous because operators may rely on the advertised safety model while the cron path performs unattended modifications or disclosures, creating a consent and integrity gap.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The skill runs host-level shell commands to collect CPU, memory, disk, and uptime data, which exceeds the stated purpose of memory-file optimization. Even though the commands are hardcoded and not directly injectable here, they unnecessarily expand the skill's access to infrastructure telemetry and expose environment details that could aid reconnaissance or violate least-privilege expectations.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill enumerates ~/.openclaw/agents via shell command to discover other agents in the runtime environment, which is unrelated to optimizing the current workspace's memory files. This broad environment inspection creates unnecessary cross-tenant visibility and can reveal operational layout and active components to callers.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The daily optimization flow aggregates and returns server status plus agent inventory information alongside memory-optimization results. For a tool advertised as a memory optimizer, exposing infrastructure and operational metadata is scope creep that increases disclosure risk and can give users information about the host and neighboring agents they should not receive.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrase '总结你自己' is overly broad and can match ordinary conversational requests unrelated to memory maintenance. In a global skill, such ambiguous activation increases the risk of unintended execution, potentially causing workspace scanning, report generation, or data disclosure without clear user intent.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The manual trigger description lacks boundaries and exclusions, and the automatic activation language is broad. That makes accidental invocation more likely, especially in a globally enabled skill with capabilities beyond mere summarization, increasing the chance of unauthorized scans or outbound reporting.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The daily report includes system status, task summaries, and detailed log links, yet there is no clear warning or consent model for privacy-sensitive data leaving the runtime. This is dangerous because it can expose infrastructure metadata, agent activity, and potentially memory-derived information to external recipients on a recurring automated basis.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: When dryRun is disabled, the skill overwrites memory files in place without backup, confirmation, or transactional safeguards. Because the summarization is lossy, users can permanently lose context, and the skill's self-improving framing makes silent destructive changes especially risky in a memory-management tool.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The skill appends reflections and corrections to persistent files without clearly informing the user that additional logs will be written. While lower severity than overwriting memory, this still creates undisclosed retention of operational and feedback data that users may not expect.

Ssd 3

Medium

Confidence: 95% confidence
Finding: Automatically sending detailed memory/task summaries and log references can disclose sensitive information collected from memory files and agent activity. In this skill's context, the risk is elevated because collection is periodic, broad in scope, and tied to an outbound channel, making accidental or excessive disclosure more likely.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The report template normalizes routine disclosure of internal operational state, task history, and agent status to an external messaging destination. Even if individual items seem low sensitivity, aggregated operational telemetry can aid profiling, reveal environment structure, and expose internal workflows over time.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The multi-agent summary reports which other agents were active, how many files were processed, and their optimization outcomes, disclosing cross-agent activity in plain language. In a shared runtime, this leaks metadata about other agents' recent work and resource usage that a caller of a memory optimizer should not automatically obtain.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The skill automatically enables multi-agent mode based on benign-looking message text such as containing '多智能体', causing broad scanning and reporting across other agents without a strong authorization boundary. This makes cross-agent disclosure easy to trigger accidentally or through prompt manipulation, substantially increasing the risk of unintended data exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: index.js:256