OpenClaw Memory Format

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only memory-format skill with disclosed local persistence behavior, not an executable or hidden data-moving tool.

Before installing, treat MEMORY.md and daily memory files as persistent local records. Avoid storing secrets, credentials, or sensitive personal data there, and periodically review or delete memory files if your workspace contains private information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documents that conversation-derived data is automatically written to persistent memory files when context is full, but it does not warn about retention, sensitivity, consent, or review boundaries. This creates a real privacy and data-governance risk because user prompts, secrets, internal paths, or confidential work details could be stored on disk and later surfaced through memory tools or future sessions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal