OpenClaw Memory (Brain)

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local memory plugin, but it can persist conversation content and expose the memory store through unauthenticated read/export interfaces.

Review before installing in any workspace with sensitive or shared conversations. Use it only where command/tool callers are trusted, keep secret redaction enabled, prefer explicit-trigger capture, configure channel allowlists or defaultPolicy=skip, set a retention period or TTL, and treat exports as sensitive backups.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The README's 'no external transmission' claim is misleading because the plugin explicitly exposes stored memory through slash commands and an AI-callable search tool. Even if data stays on the local host, it is still transmitted across trust boundaries to users, agents, or other components that invoke those interfaces, which can lead to unintended disclosure of sensitive memory contents.

Intent-Code Divergence

Medium

Confidence: 79% confidence
Finding: The documentation creates a security-relevant contradiction: it says redaction never stores matched secret values, yet import/export preserves full MemoryItem objects with all fields. If any ingestion path bypasses redaction, or imported items contain unredacted secrets, the plugin could persist and re-export sensitive data despite the safety claim.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The /export-brain command returns the full stored memory corpus, including text, tags, source metadata, and any retained sensitive content, while explicitly setting requireAuth: false. In a plugin designed for personal memory capture, unauthenticated bulk export creates a straightforward data-exfiltration path for anyone who can invoke commands.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The auto-capture hook stores inbound messages that may contain PII or secrets, but the feature description does not prominently warn users that normal conversation content can be persisted. In a personal memory plugin, this raises privacy and consent risks because users may not realize triggered messages are being stored for later search and export.

Missing User Warnings

High

Confidence: 93% confidence
Finding: The plugin automatically stores inbound message content based on topic/trigger heuristics without explicit per-message consent, user warning, or strong default restrictions. Because this is a personal-memory system, silently persisting conversational content can capture sensitive data and make it retrievable later through other commands/tools.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The export command emits a full JSON dump of stored memories with no explicit warning that the response may contain highly sensitive personal information. In practice, this increases the chance of accidental disclosure, especially because the command is also unauthenticated.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The manifest explicitly advertises automatic personal-memory capture, semantic recall, retention, and storage to a local JSONL path, but it does not present any clear user-facing privacy warning, consent language, or notice about what data may be stored and for how long. In a memory plugin, this increases the risk of users unknowingly persisting sensitive personal or conversational data, especially because capture can default to enabled and the channel default policy is set to capture.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The tests explicitly validate that auto-capture stores messages from all channels by default, which creates a privacy risk because users may not realize their messages are being persisted. In a memory plugin, silent cross-channel collection increases the chance of retaining sensitive or regulated content from contexts where storage was not intended.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The tests confirm that when redactSecrets is false, credentials such as API keys are stored verbatim and retrievable via search/export flows. Persisting secrets in a long-lived memory store materially increases exposure through unauthorized access, accidental export, logs, backups, or later prompt/tool disclosure.

Ssd 3

High

Confidence: 98% confidence
Finding: Stored memory contents are exposed through unauthenticated interfaces: /export-brain is explicitly unauthenticated, and the file also defines unauthenticated listing and search commands over the same corpus. That means any caller with command access can enumerate and exfiltrate accumulated personal data, which is especially dangerous given automatic message capture.

Ssd 3

High

Confidence: 94% confidence
Finding: Automatic capture ingests user-provided inbound conversation content into persistent storage for later search, listing, and export. In the context of a memory plugin, this materially increases privacy risk because ordinary conversation text may be retained and subsequently disclosed through weakly protected retrieval paths.

VirusTotal

No VirusTotal findings

View on VirusTotal