Correlation Memory Search

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local memory-correlation plugin; the main risks are noisy rules and an uninstall script that edits config, not hidden malicious behavior.

Install only if you want memory searches to be expanded by local correlation rules. Before enabling it, review and narrow memory/correlation-rules.json, avoid broad triggers for sensitive memories such as access logs or credentials, verify the GitHub/npm dependency source, and treat uninstall.sh as a config-modifying script rather than part of the read-only runtime.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: There is a credible integrity and transparency issue if the skill claims zero external dependencies and read-only behavior while the packaged project also includes an uninstall script that edits OpenClaw configuration and depends on external tooling like `jq`. Even if not directly malicious, this mismatch can mislead operators about what will be modified on their system and increases the chance of unsafe installation or removal workflows.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The README makes strong security claims that the plugin is limited to read-only local file operations and cannot write to disk, yet later documents an uninstall workflow that backs up and modifies OpenClaw configuration. Even if the writes occur in an uninstall script rather than the main runtime path, this is still a misleading security statement that can cause users and reviewers to underestimate the plugin's write capabilities and trust boundary.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The statement 'Cannot write to disk' is contradicted by the documented uninstall script behavior, which writes backups and modifies configuration. False or overstated security assurances are dangerous because users may allow installation or execution under incorrect assumptions, especially in an agent/plugin ecosystem where file mutation is a meaningful capability.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The config-change rule uses generic terms like "config," "setting," "modify," and "change," which are likely to match ordinary discussion and trigger retrieval of unrelated memory contexts. In a memory plugin, over-broad activation can surface irrelevant or sensitive operational context unexpectedly, increasing the chance of context poisoning, confusion, or accidental disclosure.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The backup-operation rule includes broad terms like "commit," "workspace," and "git push," which commonly appear in routine development conversations unrelated to backups. This can cause the plugin to fetch backup and recovery memories in the wrong contexts, potentially exposing internal operational details and degrading decision quality through irrelevant context injection.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: Keywords such as "error," "fail," "bug," "broken," and "crash" are extremely common and will over-match across normal agent dialogue. In a correlation-memory plugin, that means large amounts of debugging-related memory may be injected into unrelated tasks, creating noise and increasing the risk that sensitive recent-change or recovery information is surfaced without need.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The session-recovery rule contains generic words like "recover" and "restart," which may appear in many benign contexts and inadvertently trigger retrieval of checkpoint, current-work, blockers, and next-actions. Because those fetched memories can contain sensitive task state or operational details, an accidental match can leak more context than is necessary for the current request.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: Terms like "restart," "deploy," and "service" are broad operational vocabulary and can match many conversations that are not actually gateway operations. In this plugin, false activations could pull backup procedures, health checks, and rollback instructions into unrelated contexts, which may disclose sensitive operational playbooks and influence agent behavior incorrectly.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The plugin-management rule uses highly generic terms such as "plugin," "install," and "enable," which are likely to appear in many harmless conversations. That can trigger retrieval of validation and rollback memories unnecessarily, and in a plugin ecosystem this increases the risk of accidental disclosure of internal procedures or untrusted context steering later actions.

Vague Triggers

Medium

Confidence: 97% confidence
Finding: The security-audit rule contains very broad words like "security," "audit," "vulnerability," and "credential," which may be mentioned in many discussions, including adversarial prompts. In a security-sensitive memory plugin, unintended activation is more dangerous because it can surface access logs, recent security changes, and other sensitive context that could aid reconnaissance or prompt injection attacks.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal