Back to skill

Security audit

Cross-Platform Memory Bridge

Security checks across malware telemetry and agentic risk

Overview

This skill is not deceptive, but it would automatically reuse private chats and local memory files across channels in a way users should review carefully.

Install only if you deliberately want Telegram, Discord, MEMORY.md, and daily notes reused across OpenClaw channels. Before enabling it, restrict the configured paths, add per-source opt-in controls, review or redact sensitive memory content, and treat recalled chats as untrusted quoted data rather than system-level instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill reads additional workspace memory files (MEMORY.md and daily notes) and appends their contents directly into model context, expanding data collection beyond the advertised Telegram/Discord conversation bridge. This can expose unrelated sensitive workspace notes, credentials, or private summaries to any downstream prompt or model call that uses this context, creating unnecessary data overexposure and scope creep.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes silently ingesting Telegram logs, Discord logs, and local memory files into agent context on every request without any user-facing privacy warning or consent boundary. This creates a covert collection and reuse path for potentially sensitive messages and notes that users may not expect to be shared across channels.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code is designed to ingest Telegram and Discord user messages from session logs and inject them into future gateway requests, but there is no visible consent, notice, or per-platform disclosure mechanism in the implementation. This creates a privacy and prompt-context integrity risk because users may not expect cross-channel messages to be repurposed and surfaced in other sessions.

Ssd 3

High
Confidence
97% confidence
Finding
Injecting prior Telegram, Discord, and local note content into every new request creates a direct natural-language data leakage channel across otherwise separate contexts. A prompt, plugin, or model response in one channel can inadvertently reveal sensitive information that originated in another channel or in local files.

Ssd 3

High
Confidence
96% confidence
Finding
The documented output format explicitly prepends aggregated memory from multiple sources as system context and tells the agent to use it in responses. Because system-context content strongly influences model outputs, this design materially increases the chance that private messages or local notes will be surfaced or paraphrased to the wrong user or channel.

Ssd 3

High
Confidence
96% confidence
Finding
The skill intentionally harvests prior user messages from session logs and reinserts them as reusable context in later prompts. This is dangerous because untrusted user-generated content can carry prompt-injection instructions, private information, or misleading claims across sessions and platforms, causing persistent compromise of model behavior and leakage of prior conversations.

Ssd 3

High
Confidence
97% confidence
Finding
The constructed prompt explicitly instructs the model to use remembered facts and prior conversations when responding, which amplifies the effect of any malicious or sensitive content imported from files or logs. Because the memory is inserted as authoritative context rather than clearly sandboxed reference material, it increases the likelihood of cross-session prompt injection, privacy leakage, and incorrect trust in stale or attacker-controlled text.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.