Prompt injection instructions
Warn
- Finding
- Prompt-injection style instruction pattern detected.
Total Recall
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Total Recall appears to do what it claims, but it automatically monitors conversations, sends them to an LLM, and reuses generated memories in future sessions, so it needs careful review before installation.
Install only if you are comfortable with recent OpenClaw conversation content being summarized by the configured LLM provider and persisted in local memory files. Prefer a trusted or local LLM endpoint, review the setup/observer/watcher scripts before running them, start any dream-cycle behavior in read-only mode, and periodically inspect observations.md so saved memories do not become stale or unsafe instructions.
Static analysis
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI07: Insecure Inter-Agent Communication
High
What this means
Private conversation content, including secrets or sensitive user details typed into OpenClaw sessions, may be sent to the configured LLM provider without a per-run confirmation.
Why it was flagged
This shows that recent conversation transcripts are forwarded to an LLM provider as part of the normal automated workflow.
Skill content
Observer reads recent session transcripts (JSONL), sends them to an LLM, and appends compressed observations to `observations.md`
Recommendation
Only install if you trust the configured LLM provider; consider using a local endpoint, limiting the session directory/lookback window, and adding redaction or exclusion rules for sensitive chats.
#
ASI06: Memory and Context Poisoning
Medium
What this means
A bad or manipulated observation could persist across sessions and affect future agent behavior even after the original conversation is gone.
Why it was flagged
Automatically generated observations are intended to be reloaded into future agent context, potentially giving durable influence to inaccurate, stale, or maliciously induced memories.
Skill content
Add to your agent's workspace context (e.g., `MEMORY.md` or system prompt): `At session startup, read `memory/observations.md` for cross-session context.`
Recommendation
Treat observations.md as untrusted memory, review it periodically, avoid placing it above user/system instructions, and add explicit guidance that saved memories must not override current user intent or safety rules.
#
ASI10: Rogue Agents
Low
What this means
The skill may continue reading sessions, calling an LLM, writing logs, and incurring provider costs until its cron jobs or watcher service are disabled.
Why it was flagged
The skill is designed to keep operating through scheduled jobs and a watcher daemon. This is disclosed and purpose-aligned, but it is persistent background behavior.
Skill content
Layer 1: Observer (cron, every 15-30 min) ... Layer 4: Reactive Watcher (inotify daemon, Linux only)
Recommendation
Before enabling, confirm where cron/systemd entries are installed and keep clear disable/uninstall steps for the watcher and scheduled jobs.
#
ASI02: Tool Misuse and Exploitation
Low
What this means
During compaction, the agent may run shell commands and write session summaries without asking again.
Why it was flagged
The compaction hook can automatically execute the observer script and write memory files. The command is scoped to the skill's purpose, but it is still automatic tool use.
Skill content
Step 1: Run the observer in flush mode ... exec: bash ~/your-workspace/skills/total-recall/scripts/observer-agent.sh --flush ... Step 2: Regardless of whether the observer succeeded, write a brief summary
Recommendation
Enable the hook only after reviewing the observer script and confirming the output paths; consider testing with read-only or dry-run settings first.
#
ASI03: Identity and Privilege Abuse
Low
What this means
Users may be surprised that the skill needs a provider API key and can incur LLM usage costs.
Why it was flagged
The skill requires an LLM API key for its normal operation, while the registry summary says no required env vars or primary credential. This appears purpose-aligned, but users should not miss the credential and billing implication.
Skill content
OPENROUTER_API_KEY ... label: "OpenRouter API key (for LLM calls)" ... required: true
Recommendation
Declare the credential clearly in registry metadata and use a dedicated, least-privilege provider key where possible.