Back to skill

Security audit

Three Tier Memory

Security checks across malware telemetry and agentic risk

Overview

This is a real memory-management skill, but it stores conversation data persistently and can send it to an external LLM using a locally stored API key without clear opt-in controls.

Review before installing. Use it only if you intentionally want persistent AI memory, confirm whether any hook is actually installed or enabled, avoid storing secrets or personal data, and assume summaries may be sent to BigModel/Zhipu using an API key from your OpenClaw config unless you disable or modify that behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation advertises capabilities that imply environment access, file read/write, and optional network-backed components, but no explicit permissions model is declared. This creates a trust gap: an agent may invoke the skill with broader access than users expect, reducing transparency and making misuse or overcollection harder to detect.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The summarization routine reaches into an unrelated user config file in the home directory to harvest API credentials, creating hidden coupling between this skill and broader user secrets. This expands the secret-access scope of the script beyond its apparent memory-management role and can cause sensitive conversation data to be transmitted externally using credentials the user did not explicitly provide for this feature.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation guidance is very broad—covering conversation history, summarization, retrieval, and personal knowledge bases—so an agent could invoke this skill in many contexts without clear necessity or user consent. In a memory-management skill, vague activation criteria are especially risky because unnecessary invocation can lead directly to retention of sensitive conversation content.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation states that an OpenClaw hook automatically saves memory at session end and triggers summaries when the window fills, but it does not present a clear privacy notice, retention policy, or consent mechanism. Automatic capture of whole-session content is dangerous because conversations often contain credentials, personal data, or confidential business information that users did not intend to persist.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation explicitly demonstrates storing personally identifiable information (an email address) in long-term memory and describes that tier as persistent vector storage, but provides no warning about privacy, retention, consent, or access controls. In a memory-management skill, this normalizes retaining sensitive user data indefinitely, which can lead to privacy violations, accidental disclosure through retrieval, and noncompliance with data-handling requirements.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code sends accumulated conversation content to a third-party LLM API without an explicit warning, opt-in, or confirmation at the point of transmission. Because the stored messages may contain personal data, secrets, or sensitive workflow details, this creates a real data-exfiltration/privacy risk that is amplified by the memory-manager context.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill explicitly describes automatic session-wide memory capture in natural language, which increases the chance that agents will retain broad swaths of user dialogue by default. In the context of a memory skill, this is more dangerous than generic logging because the retained data is intended for later retrieval and reuse, amplifying privacy leakage and unauthorized resurfacing of sensitive information.

Ssd 3

Medium
Confidence
98% confidence
Finding
The example command explicitly stores a user's email address in long-term memory, normalizing retention of personally identifiable information in a persistent store. This is dangerous because examples shape agent and developer behavior; in a long-term vector store, PII may become searchable, rediscoverable across sessions, and difficult to fully delete.

Ssd 3

Medium
Confidence
91% confidence
Finding
The summary prompt explicitly asks the model to retain user preferences and settings from prior messages, encouraging persistence of potentially sensitive personal or operational data. In a memory-management skill, this increases privacy risk and can cause unnecessary long-term retention and later retrieval of data that users may not expect to be extracted and stored in summaries.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal