Persistent Agent Memory 1.0.1

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate persistent memory skill, but it needs Review because it stores memories with a third-party service and the documented helper scripts are missing from the package.

Install only after verifying where the missing coral_* helper scripts are supposed to come from. Use a dedicated Coral API key, avoid storing secrets, credentials, regulated personal data, or confidential business data, and periodically delete memories because they persist and may be recalled in later sessions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly enables sending user-provided memories to an external Coral Bricks service and states that those memories persist across sessions, but it does not present a clear user-facing warning at the point of use about third-party transmission and retention. This creates a meaningful privacy and data-handling risk because an agent may store sensitive user or business information externally without sufficiently informed consent or visibility.

Session Persistence

Medium

Category: Rogue Agent
Content: --- name: persistent-agent-memory description: "Add persistent memory to any agent so it can remember prior work, maintain context across sessions, and continue long-running workflows." metadata: { "openclaw":
Confidence: 87% confidence
Finding: maintain context across sessions

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal