Memory Tools

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local memory plugin with real privacy and prompt-context risks, but its behavior is coherent with its purpose and the higher-impact features are opt-in.

Install only if you want OpenClaw to keep local plaintext memories. Avoid storing secrets, handle exports as sensitive files, periodically review or delete memory files, keep autoInjectInstructions off unless you trust the instruction memories, and use a patched OpenClaw/QMD environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The stated purpose emphasizes agent-controlled memory storage/retrieval without auto-capture noise, but the documentation also reveals additional behaviors: pre-injecting stored instructions into context, automatic legacy migration, and administrative CLI functions. This mismatch can undermine informed consent and security review because behavior that changes prompt context or imports old data may be enabled or overlooked by operators.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: When enabled, the plugin automatically prepends previously stored 'instruction' memories to every new agent session as trusted context. This creates a persistent prompt-injection channel: any unsafe, stale, or attacker-influenced instruction stored earlier can silently affect future behavior despite the product claiming agent-controlled/no-auto-capture semantics.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The README encourages exporting and directly reading memory files, which likely contain sensitive user data such as preferences, instructions, contacts, and contextual history, but does not warn about confidentiality risks. In a memory plugin, normalization of raw file access can lead users to expose private data through shell history, redirected files, backups, screen sharing, or insecure handling of exported JSON.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill persistently stores user memories in readable local markdown files, potentially including sensitive personal data, preferences, relationships, and standing instructions, yet the description does not prominently warn users about privacy and retention risks. In this context, that omission matters because a memory tool is specifically designed to accumulate long-lived, potentially sensitive information that could later be exposed through local compromise, backups, exports, or unintended agent retrieval.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The export command dumps all memories as formatted JSON directly to stdout with no warning, confirmation, redaction, or access gating visible here. Because this plugin stores long-lived agent memories that may include sensitive instructions, facts, or preferences, accidental terminal logging, shell history capture, or operator misuse can expose the full memory corpus.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The forget-by-query path can permanently delete a memory based on fuzzy/semantic search heuristics, exact substring inclusion, or a 'clear winner' score gap without requiring explicit user confirmation. In a memory-management skill, deletion is a legitimate feature, but automatic destructive action on ambiguous search results creates a real integrity risk because the agent or a prompt-injected instruction could remove the wrong memory silently.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: During storage, the tool may automatically delete an existing memory when semantic similarity is moderately high and the category matches, treating it as conflicting information. That is dangerous because semantic similarity is imperfect: an attacker-controlled prompt or normal ambiguity could cause unintended replacement of valid memories, leading to silent loss or corruption of stored user state.

Ssd 3

Medium

Confidence: 94% confidence
Finding: Persisted natural-language 'instruction' memories are injected into future sessions as trusted standing instructions, which can include secret material, manipulation attempts, or instructions to exfiltrate data later. In a memory plugin, this is especially dangerous because it turns untrusted stored content into privileged prompt context across sessions, enabling durable prompt injection and unintended data leakage.

Ssd 1

Medium

Confidence: 90% confidence
Finding: The code creates persistent standing instructions that survive across sessions and are prepended before the agent starts, allowing previous user-authored text to influence future decisions. This undermines session isolation and can semantically compete with higher-priority safeguards or steer the agent in unsafe ways over time.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal