Back to skill

Security audit

redis-memory-system

Security checks across malware telemetry and agentic risk

Overview

This is a real memory tool, but it reads raw OpenClaw transcripts across sessions and installs persistent background jobs with too little scoping and consent.

Install only if you intentionally want a persistent local memory system that reads OpenClaw transcript files from disk and stores conversation-derived memory in Redis. Review and narrow SESSIONS_DIR and MEMORY_USERS, inspect crontab after setup, protect Redis, and avoid use with confidential or multi-user sessions unless you add explicit consent, deletion, and access controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill explicitly states that it bypasses session isolation by reading transcript files from the filesystem. Circumventing an isolation boundary undermines a core security control and can expose data from sessions that were meant to remain inaccessible to the current context.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The problem/solution section endorses direct filesystem reads of transcript JSONL specifically to overcome session isolation. That makes the capability more dangerous in context, because the design goal is not accidental overreach but intentional circumvention of a boundary intended to prevent cross-session data access.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Setting up host-level cron jobs and writing flags under /tmp are persistent operational behaviors beyond a typical memory/search feature. These actions create hidden background activity, can affect other workloads on the host, and increase the blast radius if the scripts malfunction or are repurposed.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The documentation claims the cron is limited to exec and read tools, while elsewhere describing writes to Redis and heartbeat/locking behavior. This inconsistency obscures the true privilege boundary and may cause reviewers to underestimate the write and persistence capabilities of the automation.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The installer performs system-level package installation and starts a Redis daemon, which exceeds a typical per-skill setup boundary for a memory utility. This creates unauthorized system modification and background service persistence risk, especially in environments where skills are expected to remain workspace-scoped and non-invasive.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script silently modifies the user's crontab to establish ongoing heartbeat execution, creating persistence beyond the immediate installation flow. Persistent scheduled execution is security-relevant and should be explicitly disclosed because it can continue running code after the user forgets the install occurred.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes automatic transcript ingestion and summary storage without a clear privacy warning or informed-consent mechanism. Because the collected content is conversation history, the context makes this especially sensitive: summaries may contain personal, confidential, or security-relevant information that users did not expect to be persisted across sessions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The deployment instructions create continuous background processing via cron, but the markdown does not prominently warn that conversation data will be processed on an ongoing basis. Hidden automation is dangerous because it changes the data-handling model from an on-demand command to persistent surveillance-like behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script reads conversation transcripts from session files, extracts user/assistant dialog, and emits the contents and existing summaries to stdout as JSON. In a multi-user or automated environment, this can expose sensitive conversation data through logs, pipelines, cron output, or callers that invoke `sync` without realizing it returns raw dialog content.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Installing packages and making system changes without an upfront warning or confirmation violates safe setup expectations and increases the chance of surprising privilege use. In practice, users may run the installer assuming it only copies local scripts, while it actually alters the host environment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Starting Redis as a background daemon and later updating crontab introduces persistence and host-level side effects without explicit prior consent. Background services can consume resources, expose local attack surface, and make behavior harder for users to audit or attribute.

Ssd 3

High
Confidence
98% confidence
Finding
The skill instructs automatic reading of conversation transcripts and loading prior user memory across sessions, which creates persistent cross-session profiling behavior. In context, this is especially risky because it combines sensitive conversational data with automatic retrieval on future session starts, expanding exposure without fresh user approval.

Ssd 3

High
Confidence
98% confidence
Finding
The architecture directs the system to locate the latest transcript, extract recent dialogue, summarize it, and write it into persistent storage automatically. This pipeline operationalizes continuous collection and transformation of potentially sensitive conversations, making accidental over-collection and privacy violations likely.

Ssd 3

High
Confidence
99% confidence
Finding
The document explicitly recommends reading transcript JSONL from the filesystem to overcome session isolation, which is a direct violation of expected containment boundaries. Because the stated purpose is convenience for memory, not security administration, the context makes the bypass less justified and more dangerous.

Ssd 3

Medium
Confidence
90% confidence
Finding
Automatically loading recent memory at every new session increases the chance that stale, excessive, or unauthorized prior data is injected into future interactions. While less severe than raw transcript scraping, it still broadens data exposure and should not happen silently for potentially sensitive user information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.