Back to skill

Security audit

Jasper Recall

Security checks across malware telemetry and agentic risk

Overview

Jasper Recall is a real local memory tool, but it needs Review because it can automatically surface private stored memories and some query paths invoke shell commands unsafely.

Install only after reviewing the privacy tradeoffs. Keep autoRecall off unless you explicitly want stored memories inserted into prompts, set publicOnly true for sandboxed or lower-trust agents, avoid exposing the recall server beyond localhost, and do not enable private HTTP queries on shared hosts. Treat the ChromaDB database, legacy collection, session digests, and shared learnings as sensitive local data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (22)

Tainted flow: 'LEARNINGS_FILE' from os.environ.get (line 27, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
f.write("---\n")
    
    # Append entry
    with open(LEARNINGS_FILE, 'a') as f:
        f.write(entry)
    
    print(f"📄 Added to {os.path.relpath(LEARNINGS_FILE, WORKSPACE)}")
Confidence
95% confidence
Finding
with open(LEARNINGS_FILE, 'a') as f:

Tainted flow: 'LEARNINGS_FILE' from os.environ.get (line 27, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
# Create file with header if it doesn't exist
    if not os.path.exists(LEARNINGS_FILE):
        with open(LEARNINGS_FILE, 'w') as f:
            f.write("# Agent Learnings\n\n")
            f.write("Insights and learnings contributed by sandboxed agents.\n\n")
            f.write("---\n")
Confidence
95% confidence
Finding
with open(LEARNINGS_FILE, 'w') as f:

Intent-Code Divergence

Low
Confidence
83% confidence
Finding
The documentation describes public-only mode as suitable for sandboxed agents, but it still includes `agent_learnings`, which may contain sensitive operational knowledge or indirectly private information. Labeling this as 'public-only' can cause operators to over-trust the isolation boundary and expose data to agents that were intended to see only strictly public content.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The docstring describes the tool as meant for sandboxed agents contributing to shared memory, but the implementation permits redirection of both the markdown file and ChromaDB storage through environment variables. This mismatch is security-relevant because operators may assume the tool is safely confined when in reality callers can influence where persistent data is written.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented auto-recall feature injects retrieved memory into every agent interaction by default when enabled, which can expose prior conversation content or sensitive memory to prompts that did not explicitly request it. In this skill’s context, the risk is amplified because the product is designed to persist and retrieve potentially private agent memory, so automatic context insertion increases the chance of unintended disclosure, prompt-scope expansion, and privacy violations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The --fix path automatically performs state-changing operations such as creating a virtual environment, installing Python packages, creating directories, and launching indexing with no explicit confirmation gate beyond the presence of the flag. In a CLI skill context, this can lead to unintended dependency installation, filesystem modification, and execution of additional code paths if a user or higher-level agent invokes the command with --fix automatically.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The CLI unconditionally triggers a background update check on startup without user-facing disclosure or opt-in in this file. Even if the network request is only for version checking, it can leak usage metadata, surprise users in restricted environments, and violate expectations for a tool presented as local-only.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The endpoint returns both parsed results and the full raw recall output directly to the caller, which can expose more memory content or metadata than intended. In this skill's context, the server is an HTTP interface for memory search, so returning raw backend output increases disclosure risk, especially if the service is rebound to a non-local interface or private queries are enabled.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document promotes cross-agent memory sharing, mesh queries, and HTTP query access without prominent discussion of confidentiality, consent, authentication, authorization, or exposure risks. In a multi-agent memory system, this omission is dangerous because users may deploy shared or remotely queryable memory assuming safe defaults, leading to unintended data disclosure across agents or via network interfaces.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The spec explicitly proposes bidirectional learning and automatic syncing between main and sandboxed agents, including extraction of memories into a shared zone, but it does not describe any explicit user notice, consent flow, or approval boundary for that data sharing. Even with [public]/[private] tags and pattern-based privacy filtering, automatic propagation of user/system context creates a real risk of unintended disclosure because mis-tagging, incomplete regex coverage, or future workflow drift can expose sensitive information to additional agents.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly states that, when enabled, it searches memory before every message and prepends retrieved memories into the agent context. That creates a real privacy and data-minimization risk because users may not realize their prompts trigger automatic retrieval of potentially sensitive prior notes, and downstream model behavior could expose or overuse that context. The risk is heightened by the documented default example `publicOnly: false`, which permits private memory to be searched unless operators deliberately constrain it.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
When autoRecall is enabled, the plugin automatically searches prior memory and prepends recalled content into the agent context before processing a prompt. This can leak sensitive historical data into conversations or tool reasoning without explicit user awareness, especially because recalled content may include private notes and is injected based only on semantic similarity.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The plugin explicitly supports automatically injecting recalled memories into agent context, but the user-facing description does not warn that private or unexpected prior content may be surfaced and influence model behavior. In a memory/RAG skill, this creates a real privacy and prompt-context integrity risk because sensitive data may be reintroduced without clear user awareness, especially when autoRecall is enabled.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documents an auto-recall feature that injects semantically matched memory content into the agent context before every message, but it does not clearly warn users that potentially sensitive prior notes may be surfaced implicitly. This creates a real privacy and data-exposure risk, especially if memory contains private operational details, credentials-adjacent information, or cross-project context that the current conversation should not access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
When auto-recall is enabled, the plugin forwards the entire incoming prompt to the local recall subprocess before agent processing. This can unintentionally disclose sensitive user content, secrets, or system-internal text to another component without explicit user awareness or consent, increasing privacy and data-handling risk even if the subprocess is local.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The plugin explicitly supports automatically injecting recalled memories into agent context, but the JSON metadata only provides a functional description and does not clearly warn users about privacy, consent, or context-boundary risks. In a memory/RAG skill, this can cause sensitive prior data to be surfaced to the model or downstream tools unexpectedly, especially if users enable autoRecall without understanding the implications.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script persists summaries of session content to markdown files under a workspace directory without any explicit user-facing notice, consent check, retention control, or sensitivity filtering. Because session logs can contain prompts, secrets, personal data, or operational details, silently creating long-lived digest files increases the chance of unintended disclosure through local compromise, backups, syncing, or later reuse by other tools.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
Initializing SentenceTransformer('all-MiniLM-L6-v2') can trigger a model download from external infrastructure on first run, causing network egress from a tool that processes local memory data without an explicit warning or consent step. Even if file contents are not directly uploaded in this line, silent external dependency fetching in a sensitive indexing workflow can violate privacy expectations and create supply-chain and metadata-leak risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script indexes sensitive sources such as memory, session digests, repos, SOPs, and founder logs into persistent ChromaDB collections, and it routes some content into a shared collection based on path names or simple in-band tags like [public]. This creates a real confidentiality risk because sensitive material may be retained long-term and exposed to sandboxed agents through weak classification rules, especially in an agent-memory context where these files are likely to contain secrets, internal notes, or private operational data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This CLI prints recalled memory content directly to stdout, including results from the private memory collection by default. In an agent setting, stdout is often captured by logs, parent orchestrators, chat transcripts, or downstream tools, so sensitive private memories can be disclosed unintentionally even without a separate exploit primitive.

Session Persistence

Medium
Category
Rogue Agent
Content
### Setup for Sandboxed Agents

1. Create shared directory: `mkdir -p ~/.openclaw/workspace/memory/shared`
2. Symlink to sandboxed workspace: `ln -s ~/.openclaw/workspace/memory/shared ~/.openclaw/workspace-sandbox/shared`
3. Use `--public-only` flag in sandboxed agent's recall queries
Confidence
84% confidence
Finding
Create shared directory: `mkdir -p ~/.openclaw/workspace/memory/shared` 2. Symlink to sandboxed workspace: `ln -s ~/.openclaw/workspace/memory/shared ~/.openclaw/workspace-sandbox/shared` 3. Use `--pu

Session Persistence

Medium
Category
Rogue Agent
Content
index-digests  # Index memory files into ChromaDB
```

**Create session digests:**
```bash
digest-sessions          # Process new sessions
digest-sessions --dry-run  # Preview what would be processed
Confidence
86% confidence
Finding
Create session digests:** ```bash digest-sessions # Process new sessions digest-sessions --dry-run # Preview what would be processed ``` ## How It Works ### Three Components 1. **digest-s

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.destructive_delete_command

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
cli/doctor.js:15

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
cli/jasper-recall.js:43

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
cli/server.js:33

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
extensions/jasper-recall/index.ts:58

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
extensions/openclaw-plugin/index.ts:58

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/index.js:28

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
SKILL.md:424