Security audit

Openclaw Local Memory

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate local memory plugin, but it automatically stores and later reuses conversation data, including credential-like or personal details, without enough safeguards.

Install only if you are comfortable with conversation content being saved locally and reused in future prompts. Disable auto-capture or auto-recall before discussing credentials, regulated data, or confidential work, and use the forget or wipe tools to remove sensitive memories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (18)

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The significance rules explicitly treat credentials and authentication-related terms as noteworthy content to retain, which increases the chance that secrets such as API keys, passwords, tokens, or login details are persisted. In a memory plugin whose purpose is to later recall and inject stored content back into prompts, this creates a direct sensitive-data retention and disclosure risk.

Context-Inappropriate Capability

Low

Confidence: 91% confidence
Finding: The profile-building and recall path intentionally assembles entities, preferences, facts, and recent dynamic data into model context by default. While useful for personalization, this can expose accumulated personal data in later prompts, especially if the model, tools, logs, or downstream integrations are not strictly scoped.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill enables persistent auto-capture and periodic profile injection by default, but the documentation does not clearly warn that conversation content will be stored on disk and later reintroduced into future prompts. This creates a real privacy and safety risk because users may unknowingly persist sensitive data and have it resurfaced in unrelated contexts.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The significance patterns explicitly include credential-like terms such as api_key, password, and token, which implies the memory system may capture and retain secrets. Storing such content without a prominent warning, exclusion rule, or redaction mechanism is dangerous because local persistence and later recall can expose credentials to the model, logs, or anyone with filesystem access.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The plugin automatically captures user prompts and conversation-derived content into persistent local memory during lifecycle hooks, but this file shows no explicit consent gate, notice, or sensitivity filtering before storage. In a memory plugin, this creates a real privacy and data-handling risk because secrets, personal data, or regulated information may be retained and later resurfaced unintentionally.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code extracts raw user prompt text from event.prompt or user-role messages and registers it for capture without any visible privacy warning, consent check, or content classification. That is dangerous because prompt text often contains credentials, personal information, or proprietary material, and storing it in memory increases the chance of unintended disclosure through later recall or tooling.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code persists combined user and assistant exchange content to long-term memory without any visible user disclosure or consent mechanism in this flow. Because the captured text may contain sensitive conversational details, silent persistence raises privacy and compliance concerns and increases harm if the store is later searched or injected.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The consolidation step writes accumulated conversation history into summary memory without any user-facing indication that prior exchanges are being retained beyond the active session. Summaries can still contain sensitive facts even if shortened, so undisclosed consolidation expands the privacy footprint of the plugin.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The store persists arbitrary conversation content, extracted entities, tags, and inferred metadata to a JSON file under the user's home directory without any consent, notice, retention control at write time, or access protections. In a memory plugin, this means sensitive personal data, credentials, emails, and behavioral history can be silently retained across sessions and exposed to local compromise, backups, or unintended reuse.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The profile tool aggregates and returns potentially sensitive user data such as entities, preferences, facts, and recent context with no access control, consent check, redaction, or privacy warning. In a memory plugin, this materially increases the chance of overexposing stored personal data to the model, other tools, or any caller that can invoke the tool.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The recent-memory tool returns raw stored memory contents without any privacy gating, warning, or scope restriction. Because memories may contain sensitive user information collected over time, exposing recent entries directly can leak private context more broadly than the user expects, especially in an agent environment where tools may be invoked automatically.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The plugin enables automatic conversation capture by default, which can cause sensitive user content to be persistently stored without an explicit opt-in or prominent privacy notice. In a memory plugin, this is especially risky because users may share credentials, personal data, or confidential business information during normal conversation, and the feature is described as convenience behavior rather than a privacy-sensitive action.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: Enabling profile injection on the first turn by default can disclose previously stored personal or contextual information into model context before the user has a chance to review or consent in the current session. For a local memory skill whose purpose is to recall past data automatically, first-turn injection increases the chance of unintended exposure of sensitive profile details across conversations or contexts.

Ssd 3

Medium

Confidence: 95% confidence
Finding: This code automatically captures raw user prompts at agent start and persists additional conversation state at agent end, which can retain sensitive information and re-inject it later via recall behavior. The skill context makes this more dangerous, not less, because a memory plugin is specifically designed to preserve and surface past user data across interactions, amplifying privacy leakage and accidental secret retention risks.

Ssd 3

High

Confidence: 99% confidence
Finding: The plugin is explicitly designed to detect, retain, and later use sensitive categories including identity and credential-related content. In the context of a local memory skill that re-injects stored material into subsequent prompts, this materially increases the chance of sensitive data leakage across turns, sessions, tools, or logs.

Ssd 3

High

Confidence: 99% confidence
Finding: This flow stores a combined plain-language transcript of user and assistant content as an exchange and later makes that memory available for recall into prompts. That design can resurface prior secrets, personal details, internal instructions, or sensitive troubleshooting outputs in unrelated future contexts, creating a strong confidentiality risk.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The formatting helpers deliberately surface accumulated entities, preferences, facts, recent items, and recalled memories back into the active model context. This increases the exposure surface for stored personal or sensitive information and can cause over-sharing to the model or connected tools if the memory store contains more than intended.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The code not only stores user content and extracted entities persistently, it also aggregates them into a profile via buildProfile, increasing the sensitivity and usability of collected personal data. This creates a privacy and surveillance risk because the plugin transforms raw interaction history into structured personal facts, preferences, and entities that are easier to abuse or leak than the original text.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.