ClawHub
Back to skill

Security audit

Viking 记忆系统

Security checks across malware telemetry and agentic risk

Overview

This memory skill is coherent, but it can automatically retain private conversations, share them across agents, and send memory text to a hard-coded embedding service without enough user controls.

Install only if you intentionally want persistent shared memory across agents. Before enabling it, disable Feishu autosave and cron unless needed, restrict the agent list, point OLLAMA_HOST to a trusted local endpoint, avoid storing passwords or tokens, and keep backups of memory files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (49)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill documents continuous monitoring (`monitor`) and session-end hooks that automatically capture and persist conversation content into long-term memory. In a memory workflow, this expands scope from user-directed storage to passive collection, creating a real risk of retaining secrets, personal data, and unrelated conversational material without explicit per-event consent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script sends search queries to an embedding endpoint over plain HTTP and to a host that is configurable, defaulting to a private-network address. Even if intended for a local/self-hosted Ollama instance, this still transmits potentially sensitive user input off-process and without transport protection, enabling interception or unintended disclosure in shared or remote environments.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The comment claims special characters are removed, but the implementation only strips newlines, double quotes, and repeated spaces before transmitting file content externally. This mismatch can create a false sense of safety and leaves sensitive or control-relevant content largely intact, increasing the chance of accidental data exposure or malformed downstream processing.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script invokes an external agent binary to process session data, which expands the trust boundary from a local shell script to a separate LLM/agent component with potentially different execution, networking, and data-handling behavior. In a memory pipeline, session transcripts can contain sensitive information, so sending them to another agent without strict controls creates a real confidentiality and supply-chain risk even if the feature is intended for summarization.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly advertises automatic saving of Feishu group chat sessions but does not include any privacy notice, consent requirement, retention policy, or warning about collecting potentially sensitive third-party communications. In an agent environment, this can lead to silent capture and storage of private or regulated data from group chats, increasing legal, privacy, and confidentiality risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation states that memory can be shared across agents via a global workspace, but it does not warn that data entered in one agent may become visible to others. This creates a realistic risk of unintended data exposure, cross-context leakage of secrets, and privilege boundary erosion if multiple agents operate with different purposes or trust levels.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill describes automatic demotion and forgetting with LLM-based compression, but does not warn users that stored memory may be altered, summarized inaccurately, or removed over time. This can cause integrity issues, loss of important context, and unsafe reliance on memory content that is no longer complete or faithful to the original.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The manifest advertises automatic saving of Feishu group chat sessions and memory management, but it does not define clear capture boundaries, consent requirements, or scope limitations. In a memory/chat skill, this ambiguity can lead to over-collection of sensitive conversation data, especially if users or operators assume only limited events are persisted.

Missing User Warnings

High
Confidence
94% confidence
Finding
The description explicitly mentions automatic saving of group chat sessions, yet there is no visible warning in the manifest about privacy impact, consent, or handling of captured data. Because this skill is designed to store conversational memory and can integrate with Feishu, silent or poorly disclosed capture could expose personal, confidential, or regulated information.

Vague Triggers

High
Confidence
98% confidence
Finding
The auto-save trigger keywords are extremely broad and map to ordinary work conversation, making accidental persistence of routine chat highly likely. Because the skill is designed for long-term memory retention, these triggers can sweep up sensitive operational details, credentials, personal information, or internal discussions far beyond user intent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill enables automatic memory saving of conversation and session summaries but does not warn users that sensitive or personal data may be permanently retained. This omission undermines informed consent and increases the chance that high-risk data will be silently stored and later searchable across the memory system.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The embedding step sends memory content to an embedding model, but the skill does not warn that stored text is processed by another model component and indexed for semantic search. Even if local, this changes the exposure surface of sensitive content; if remote or externally configured, it may also transmit confidential data outside the immediate storage boundary.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The save path persists session summaries to long-term memory immediately, without any user-facing confirmation, warning, or consent gate. In an agent context, this can silently retain sensitive conversation content and create privacy, compliance, and data exposure risks if secrets, personal data, or business information are included in summaries.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The embed operation transmits up to 2000 characters of file content to the embedding service without any user-facing warning, confirmation, or disclosure. In a memory pipeline, files may contain secrets, personal data, or internal notes, so silent external transmission creates a meaningful confidentiality risk.

Missing User Warnings

Low
Confidence
94% confidence
Finding
User queries are sent to the embedding service with no explicit disclosure. Queries may contain sensitive search terms, incident details, credentials, or personal information, so silently forwarding them can violate user expectations and leak data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The rebuild path unconditionally deletes the existing vector index before reconstructing it, with no confirmation, backup, or safety checks. This can cause accidental data loss and service disruption if the workspace is wrong, rebuild fails partway, or the command is triggered unintentionally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script transmits session file contents to an external/local LLM agent without any user-facing warning, consent prompt, or data classification guard. Session logs often contain credentials, personal data, internal discussions, or other secrets, so undisclosed forwarding to another component materially increases privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script locates per-agent session transcript files and passes them into an LLM-based summarization step, which can expose sensitive conversation content to another processing component without explicit consent controls, redaction, or notice. In a memory-management pipeline, those transcripts may contain secrets, personal data, or internal operational details, so automated secondary processing expands the data exposure surface.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script delegates broad, file-modifying memory-tier downgrade operations to an LLM-driven local agent using only natural-language instructions, with no dry-run, confirmation, path validation, or safeguards on what files may be rewritten. In this context, the agent is instructed to scan user memory directories and update files, so prompt misinterpretation, agent compromise, or unexpected tool behavior could cause silent data corruption or destructive changes across multiple memory stores.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends session content and memory content to an embedding service over HTTP, and the default endpoint is a private-network IP rather than an explicitly local Unix socket or localhost-only loopback service. This can expose potentially sensitive conversation data and stored memories to interception, unintended retention, or processing by an external service without clear user disclosure or consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly promotes automatic saving and cross-agent/shared memory access, but it does not describe consent, notice, data minimization, or access controls. In an agent system, retaining and sharing conversation-derived memory across agents can expose sensitive user data beyond the original interaction scope.

Missing User Warnings

High
Confidence
97% confidence
Finding
The Feishu group chat feature describes automatically detecting session end and saving group chat memory after inactivity, but it does not mention participant consent, visibility, or safeguards for multi-user conversations. This creates a substantial risk of silently capturing and persisting sensitive messages from multiple people who may not expect retention.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code automatically executes an external shell script after inactivity without any explicit user notice, consent, or trust boundary checks. In a skill context, this can cause silent persistence, export, or processing of conversation data via ~/.openclaw/skills/memory-pipeline/scripts/memory-session-hook.sh, increasing the risk of privacy violations or unintended command execution side effects.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly promotes automatic extraction and persistence of Feishu group chat content into a memory system, but it does not clearly warn users about privacy, consent, retention, or handling of potentially sensitive conversation data. In this context, the omission is security-relevant because the feature operates on real communications data and could cause unanticipated collection and long-term storage of private or regulated information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document states that session timeout triggers execution of a local hook script, but it does not clearly communicate that enabling the integration causes automatic local script execution with the permissions of the Feishu/OpenClaw process. That creates risk because users may enable the feature without understanding that a script path can be invoked automatically, potentially expanding the attack surface and enabling unsafe modifications or abuse of the hook mechanism.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal