Security audit

TokenSaver Korean

Security checks across malware telemetry and agentic risk

Overview

This memory/search skill is not clearly malicious, but it can persist sensitive context and send saved text or queries to Fireworks with incomplete disclosure and controls.

Review this skill before installing. Do not store secrets, credentials, regulated personal data, or confidential business context unless you accept persistent local storage and possible third-party embedding calls. Only set FIREWORKS_API_KEY if Fireworks may receive saved memory text and search queries. Do not run init_bora_context.py unless you intentionally want those local OpenClaw profile and identity files imported into searchable memory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (7)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The file introduces persistent SESSION-STATE management that stores active task, context, and decisions in a durable markdown file. While likely intended as a convenience feature, it expands the skill from context retrieval into ongoing cross-session state retention, which can capture sensitive user/project information without clear disclosure or consent.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The embedding manager sends user-provided text to an external Fireworks API and sources credentials from an environment variable, but this capability is not reflected in the stated skill purpose. This creates an undisclosed data egress path for memory contents, which may include confidential prompts, notes, or personal data.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill tells users to configure a Fireworks API key for embedding search but does not warn that queries or stored memory content may be transmitted to a third-party service. Because this skill is explicitly designed to store agent memory and business context, embedding requests may contain highly sensitive data, making undisclosed external transmission a significant privacy and confidentiality risk.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill promotes automatic archive, cleanup, and duplicate-merge features without clearly warning that stored memories can be modified, compressed, archived, or excluded from search automatically. For a memory system, silent mutation or removal of records can cause integrity, auditability, and availability problems, especially if users rely on the store as a source of truth.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script reads multiple local profile/memory files and sends their full contents to the TokenSaver client with no consent prompt, sensitivity warning, destination disclosure, or filtering. In this skill context, the files are explicitly named MEMORY, USER, SOUL, AGENTS, and IDENTITY, which strongly suggests personal or highly sensitive agent context, so silent ingestion into an external/context database creates a real confidentiality risk.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The session-state template explicitly describes the file as persistent RAM that survives restarts and stores current task, key context, pending actions, and recent decisions. That behavior creates durable plain-text storage of potentially sensitive user and organizational context, increasing privacy and data retention risk.

Ssd 3

Medium

Confidence: 88% confidence
Finding: Comments and helper guidance repeatedly instruct saving logs or state before responding, normalizing retention of user/task data by default. In an agent skill, these semantic cues matter because integrators may wire the feature in as intended, causing over-collection and unnecessary persistence of sensitive inputs.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal