OpenClaw Memory (Docs)

Security checks across malware telemetry and agentic risk

Overview

This is a local documentation-memory plugin with disclosed save, search, delete, import, and export behavior; exports need careful handling because they can contain sensitive notes.

Install only where command/tool callers are trusted to read the stored documentation memories. Do not rely on pattern-based redaction for highly sensitive secrets, and export only to trusted directories that will not be unintentionally committed, synced, or backed up.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The export feature writes stored memory text into markdown files, which can increase exposure if users later commit, sync, share, or back up that directory without realizing it contains potentially sensitive notes. Although the plugin mentions optional secret redaction, redaction is pattern-based and cannot guarantee removal of all confidential content, so exported files may still leak sensitive project information.

VirusTotal

No VirusTotal findings

View on VirusTotal