Back to skill

Security audit

Monica Memory Manager

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local memory-management skill, but users should understand it intentionally stores conversation content persistently on disk.

Install only if you want an agent to retain local memories across conversations. Set WORKSPACE_DIR to the intended OpenClaw workspace before use, avoid storing secrets or regulated personal data, periodically review/delete the memory directory, and install ChromaDB only from a trusted source if you enable long-term memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Tainted flow: 'config_json' from os.environ.get (line 74, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
"""保存配置文件"""
    # 使用 JSON 而非 YAML,减少依赖
    config_json = CONFIG_FILE.with_suffix('.json')
    with open(config_json, 'w') as f:
        json.dump(config, f, indent=2, ensure_ascii=False)
    print(f"✓ 已保存配置: {config_json}")
Confidence
87% confidence
Finding
with open(config_json, 'w') as f:

Tainted flow: 'SLIDING_WINDOW_FILE' from os.environ.get (line 28, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
data['messages'] = messages
    data['updated_at'] = datetime.now().isoformat()
    
    with open(SLIDING_WINDOW_FILE, 'w') as f:
        json.dump(data, f, indent=2, ensure_ascii=False)
    
    print(f"✓ 已添加短期记忆,当前窗口: {len(messages)}/{window_size}")
Confidence
88% confidence
Finding
with open(SLIDING_WINDOW_FILE, 'w') as f:

Tainted flow: 'summary_file' from os.environ.get (line 146, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
}
    data['summaries'].append(new_summary)
    
    with open(summary_file, 'w') as f:
        json.dump(data, f, indent=2, ensure_ascii=False)
    
    print(f"✓ 已添加中期记忆: {summary_file}")
Confidence
87% confidence
Finding
with open(summary_file, 'w') as f:

Tainted flow: 'SLIDING_WINDOW_FILE' from os.environ.get (line 28, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
add_medium_term_memory(summary, 'auto-summary')
    
    # 清空短期记忆(可选)
    with open(SLIDING_WINDOW_FILE, 'w') as f:
        json.dump({'messages': [], 'updated_at': datetime.now().isoformat()}, f, indent=2, ensure_ascii=False)
    
    print(f"✓ 摘要生成完成,已归档 {len(short_memories)} 条短期记忆")
Confidence
89% confidence
Finding
with open(SLIDING_WINDOW_FILE, 'w') as f:

Tainted flow: 'SLIDING_WINDOW_FILE' from os.environ.get (line 28, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
# 创建短期记忆文件
    if not SLIDING_WINDOW_FILE.exists():
        with open(SLIDING_WINDOW_FILE, 'w') as f:
            json.dump({'messages': [], 'updated_at': datetime.now().isoformat()}, f, indent=2, ensure_ascii=False)
        print(f"✓ 已创建短期记忆: {SLIDING_WINDOW_FILE}")
Confidence
88% confidence
Finding
with open(SLIDING_WINDOW_FILE, 'w') as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation describes capabilities that read environment/configuration and persist data to local files and a vector store, but it does not declare corresponding permissions. That mismatch can cause users or calling systems to underestimate what the skill can access and modify, weakening trust boundaries and review controls.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill persistently stores conversation content in local JSON files, summaries, and a long-term vector database, yet the description does not warn users that their prompts and potentially sensitive data may be retained. This creates a meaningful privacy and data-governance risk because users may disclose secrets or personal information under the assumption that the interaction is ephemeral.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation explicitly demonstrates storing and searching potentially sensitive user memory, including direct personal data such as a user's name and preferences, but provides no notice about consent, retention, access controls, or deletion. In a memory-management skill, this omission can lead developers to persist personal data by default in ways that create privacy, compliance, and data-governance risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The integration example passes raw user_message and user_query into a persistent memory subsystem without any warning that the data may be stored, indexed, or later retrieved. In this skill's context, that is materially risky because the feature is specifically designed for long-term persistence and retrieval, increasing the chance of unintentional collection and reuse of sensitive user data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal