Security audit

Session Memory Flush

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it needs review because it persistently scans private OpenClaw sessions and may send transcript contents to an LLM provider.

Install only if you want a recurring background process to scan all OpenClaw-visible sessions, summarize transcripts, write memory files, and potentially send transcript text to your configured LLM provider. Use a trusted endpoint and least-privilege key, run the dry-run first, inspect the generated systemd timer or crontab, and uninstall it when you no longer want automatic scanning.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Tainted flow: 'cmd' from os.environ.get (line 273, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: raise RuntimeError("openclaw command not found; set OPENCLAW_BIN to the absolute path") cmd = [openclaw_bin, "sessions", "--all-agents", "--json"] proc = subprocess.run( cmd, text=True, stdout=subprocess.PIPE,
Confidence: 86% confidence
Finding: proc = subprocess.run( cmd, text=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, check=False, )

Tainted flow: 'req' from os.environ.get (line 614, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: method="POST", ) try: with urllib.request.urlopen(req, timeout=60) as resp: data = json.loads(resp.read().decode("utf-8")) except (urllib.error.URLError, TimeoutError, json.JSONDecodeError): return None
Confidence: 98% confidence
Finding: with urllib.request.urlopen(req, timeout=60) as resp:

Tainted flow: 'req' from os.environ.get (line 614, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: method="POST", ) try: with urllib.request.urlopen(req, timeout=90) as resp: body = resp.read().decode("utf-8", errors="replace") except (urllib.error.URLError, TimeoutError): return None
Confidence: 98% confidence
Finding: with urllib.request.urlopen(req, timeout=90) as resp:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill explicitly describes capabilities to read session transcripts, access environment/config, write memory files, invoke shell commands, and send transcript content to an LLM provider, yet it declares no permissions. That mismatch creates a real security risk because operators and policy engines cannot accurately assess or constrain the skill’s access, and sensitive transcript data may be exfiltrated or modified under a misleadingly low-trust manifest.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The description and usage language make the skill applicable to many session types and lifecycle moments without strong trigger constraints or operator confirmation. Because the skill reads visible sessions and their transcripts, broad invocation increases the chance of unintended collection, summarization, and persistence of sensitive context from sessions that the user did not intend to flush.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill transmits session transcripts to an external LLM service without any user-facing disclosure or consent flow in this file. Given the stated purpose of summarizing multiple sessions before reset, the data can include high-value contextual memory, making silent export materially risky.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.