memory-compact

Security checks across malware telemetry and agentic risk

Overview

This is a local memory backup skill with disclosed file changes, but its documentation overstates safety and should be clearer about privacy and retention.

Install only if you want OpenClaw memory files summarized into long-term MEMORY.md entries and retained in backup/memory, potentially through a daily cron job. Review the generated summaries and backups for sensitive or incorrect content, and do not enable any notification workflow unless you understand where that content will be sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises executable behavior through documented Python and shell usage, including file reads/writes and command execution, but declares no permissions. This creates a trust and review gap: operators may approve the skill believing it has no privileged capabilities while it can still manipulate workspace data and invoke scripts.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The documented behavior does not match the claimed purpose: there is no built-in scheduler, no actual compression, and the skill writes/accumulates data into MEMORY.md beyond a simple backup operation. Behavior mismatches are dangerous because they hide persistent data retention and side effects from users and reviewers.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The documentation says the skill performs local backup and key-point extraction, but its workflow also generates a Feishu notification. Adding an external notification/output channel changes the data exposure model because extracted user content may be surfaced outside the original storage location.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The file contains strong safety assurances such as 'no network requests' and 'no system command execution' while also documenting Feishu notification generation and shell-based execution. Per the review instructions, these self-attestations increase suspicion because they can mislead users into trusting a skill that has broader data-handling and execution behavior than claimed.

Intent-Code Divergence

High

Confidence: 92% confidence
Finding: The script’s security claims overstate its protections: some writes occur without validating the destination path first, and read_file() performs the safety check only after opening the file. In a workspace where an attacker can plant symlinks or alter expected paths, this can allow reads or writes outside the intended workspace boundary despite the documented restriction.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README documents automatic reading of daily memory files, appending extracted content into a long-term memory file, and creating backups, but it does not clearly warn users about privacy, retention, or the risk of persisting sensitive personal data. Because the skill handles memory content and runs on a schedule, users may unknowingly authorize ongoing collection and duplication of sensitive information.

Ssd 3

Medium

Confidence: 88% confidence
Finding: The skill is designed to read conversation memory, extract key points, retain them in MEMORY.md, and surface them again in notification output. This is a privacy-relevant data propagation pattern that can expose sensitive user decisions or personal details in additional files and channels beyond the original memory record.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The workflow explicitly instructs reading stored conversation memory and reproducing user information into both a long-term memory file and a backup location, increasing persistence and spread of potentially sensitive content. The skill context makes this more dangerous because its purpose is recurring automation, so the duplication can happen regularly without per-run user review.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The example notification shows user decisions being echoed into a notification channel, demonstrating concrete exfiltration of memory-derived content to a broader audience or system. Even if Feishu delivery is only documented and not implemented here, the design intent is to transmit summarized user data outside the original memory file.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal