Security audit

Monica Memory Manager

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local memory-management skill, but users should understand it intentionally stores conversation content persistently on disk.

Install only if you want an agent to retain local memories across conversations. Set WORKSPACE_DIR to the intended OpenClaw workspace before use, avoid storing secrets or regulated personal data, periodically review/delete the memory directory, and install ChromaDB only from a trusted source if you enable long-term memory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Tainted flow: 'config_json' from os.environ.get (line 74, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: """保存配置文件""" # 使用 JSON 而非 YAML，减少依赖 config_json = CONFIG_FILE.with_suffix('.json') with open(config_json, 'w') as f: json.dump(config, f, indent=2, ensure_ascii=False) print(f"✓ 已保存配置: {config_json}")
Confidence: 87% confidence
Finding: with open(config_json, 'w') as f:

Tainted flow: 'SLIDING_WINDOW_FILE' from os.environ.get (line 28, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: data['messages'] = messages data['updated_at'] = datetime.now().isoformat() with open(SLIDING_WINDOW_FILE, 'w') as f: json.dump(data, f, indent=2, ensure_ascii=False) print(f"✓ 已添加短期记忆，当前窗口: {len(messages)}/{window_size}")
Confidence: 88% confidence
Finding: with open(SLIDING_WINDOW_FILE, 'w') as f:

Tainted flow: 'summary_file' from os.environ.get (line 146, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: } data['summaries'].append(new_summary) with open(summary_file, 'w') as f: json.dump(data, f, indent=2, ensure_ascii=False) print(f"✓ 已添加中期记忆: {summary_file}")
Confidence: 87% confidence
Finding: with open(summary_file, 'w') as f:

Tainted flow: 'SLIDING_WINDOW_FILE' from os.environ.get (line 28, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: add_medium_term_memory(summary, 'auto-summary') # 清空短期记忆（可选） with open(SLIDING_WINDOW_FILE, 'w') as f: json.dump({'messages': [], 'updated_at': datetime.now().isoformat()}, f, indent=2, ensure_ascii=False) print(f"✓ 摘要生成完成，已归档 {len(short_memories)} 条短期记忆")
Confidence: 89% confidence
Finding: with open(SLIDING_WINDOW_FILE, 'w') as f:

Tainted flow: 'SLIDING_WINDOW_FILE' from os.environ.get (line 28, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: # 创建短期记忆文件 if not SLIDING_WINDOW_FILE.exists(): with open(SLIDING_WINDOW_FILE, 'w') as f: json.dump({'messages': [], 'updated_at': datetime.now().isoformat()}, f, indent=2, ensure_ascii=False) print(f"✓ 已创建短期记忆: {SLIDING_WINDOW_FILE}")
Confidence: 88% confidence
Finding: with open(SLIDING_WINDOW_FILE, 'w') as f:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documentation describes capabilities that read environment/configuration and persist data to local files and a vector store, but it does not declare corresponding permissions. That mismatch can cause users or calling systems to underestimate what the skill can access and modify, weakening trust boundaries and review controls.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill persistently stores conversation content in local JSON files, summaries, and a long-term vector database, yet the description does not warn users that their prompts and potentially sensitive data may be retained. This creates a meaningful privacy and data-governance risk because users may disclose secrets or personal information under the assumption that the interaction is ephemeral.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The documentation explicitly demonstrates storing and searching potentially sensitive user memory, including direct personal data such as a user's name and preferences, but provides no notice about consent, retention, access controls, or deletion. In a memory-management skill, this omission can lead developers to persist personal data by default in ways that create privacy, compliance, and data-governance risk.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The integration example passes raw user_message and user_query into a persistent memory subsystem without any warning that the data may be stored, indexed, or later retrieved. In this skill's context, that is materially risky because the feature is specifically designed for long-term persistence and retrieval, increasing the chance of unintentional collection and reuse of sensitive user data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal