Back to skill

Security audit

Hippocampus

Security checks across malware telemetry and agentic risk

Overview

This looks like a real local memory skill, but it needs Review because it can repeatedly process broad chat history into durable memories with weak consent and scoping controls.

Install only if you intentionally want OpenClaw conversations turned into long-term local memory. Review or disable cron before running it, avoid --whole or first-run backfills unless you accept historical transcript processing, add memory files to .gitignore, and periodically inspect or delete memory/index.json and HIPPOCAMPUS_CORE.md because they may contain sensitive personal context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (42)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises shell execution, file read/write, and environment-variable use via its documented install and runtime commands, but it declares no permissions. That creates a transparency and consent problem: users and orchestration systems cannot accurately assess the access the skill needs before installation, increasing the chance of over-trusting a component that can read transcripts, write persistent memory, and schedule automation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior materially exceeds a simple memory subsystem: it reads broad session transcript history, generates a dashboard aggregating data from other skills/files, and installs scheduled automation. That description-behavior mismatch is dangerous because users may consent to a 'memory' feature without realizing it also performs cross-skill data aggregation and ongoing background processing, which expands privacy and attack surface substantially.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The prompt explicitly encourages the agent to form its own opinions, track how it has changed, and develop a distinct identity beyond the stated purpose of a persistent memory system. In a memory skill, this can steer the agent toward persona drift, self-directed goal formation, and storage of internally generated beliefs that may later influence user-facing behavior in unpredictable ways.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The architecture explicitly describes a background agent that continuously monitors conversations and persists extracted memories, but it provides no user-facing consent, notice, retention, or review controls. This creates a privacy and safety risk because sensitive conversation content may be collected and stored without the user's clear awareness, especially in an always-on background process.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documented workflow performs automatic writes to memory/index.json and related memory files without warning that data becomes persistent. Persistent storage of conversationally derived data can expose private information, create unexpected long-term retention, and increase harm if the files are later accessed, leaked, or reused in other contexts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documented configuration sets up a separate background agent to monitor the main session's conversation history, silently process it, and modify memory files without any explicit consent flow, audit notice, or user-visible disclosure. In a persistent memory skill, this creates a real privacy and integrity risk because sensitive conversation content may be continuously collected and transformed outside the primary interaction loop, making unexpected retention or file changes more likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly promotes background extraction, summarization, and storage of conversation-derived signals, but it does not warn that this may collect sensitive personal, credential, or confidential workspace data. In a memory skill, silent persistence of conversational content materially increases privacy and data-handling risk because users may not realize an always-on process is retaining and transforming their chats.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The installation section encourages enabling cron-based automation without warning that jobs may continuously process recent or entire conversation history, especially with options like --whole. This creates a realistic risk of overcollection and unnoticed ongoing processing, which is particularly significant for a persistence-oriented memory component.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The dashboard documentation describes generating and opening a browser-visible page with memory statistics and top memories, but does not warn that this output may expose retained content to anyone with local access, screen visibility, or browser/file access. The issue is lower severity than raw collection, but it still increases accidental disclosure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes automatic capture, persistence, and retrieval of conversation-derived memories, including potentially sensitive user facts and relationship context, but does not provide a clear privacy warning, retention notice, or scope limitation. This is risky because users may disclose personal information assuming ephemeral processing, while the skill stores and resurfaces it later.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The '--whole' install option explicitly enables retrospective ingestion of the entire conversation history, but the documentation does not pair that capability with a conspicuous warning or consent checkpoint. Bulk back-processing of historical transcripts can expose large amounts of legacy sensitive content that users never intended to be transformed into durable memory.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The memory structure explicitly stores user facts, self facts, and relationship context in persistent files, yet the documentation does not emphasize the sensitivity of that data or recommend protections. Persisted interpersonal and preference data can be highly revealing if accessed by other tools, users, or compromised components in the same workspace.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to overwrite the entire persistent memory index with updated content, but it provides no consent, review, or safety boundary around modifying stored user-related data. In a persistent memory skill, this creates a real risk of silent profile accumulation, alteration, or corruption of sensitive user information across sessions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to save long-term memory data to `memory/index.json` without any requirement for user notice, consent, retention limits, or access controls. Because the stored content is derived from private conversation history, this creates a real privacy and data-governance risk even if the feature is intended as benign memory persistence.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When invoked with --with-cron, the installer creates persistent scheduled jobs that repeatedly execute memory-processing actions and modify workspace files without an explicit confirmation step or review of the exact commands being registered. Persistent automation increases blast radius because a one-time install decision can cause ongoing background changes to personal memory data and future agent behavior.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The installer automatically runs helper scripts (sync-core.sh and optionally generate-dashboard.sh) that can modify workspace state, but the installer does not clearly disclose what files they read, write, or transform before execution. This reduces transparency and makes it easier for a skill install to perform additional side effects beyond simple setup.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly authorizes deletion or removal of memory content based on the agent’s own judgment, but it provides no safeguard such as user confirmation, retention policy enforcement, backup, or soft-delete workflow. In a persistent memory skill, this is dangerous because the agent may irreversibly discard user-relevant context or audit history, causing data loss and reducing transparency about what was removed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The prompt explicitly instructs the agent to write reflective content into persistent memory files without any indication that this action should be disclosed to the user or gated by consent. In a memory-oriented skill, this can cause silent retention of sensitive self-referential or user-adjacent content, increasing privacy, persistence, and prompt-injection risk if those memories are later reused by other components.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The prompt explicitly instructs the agent to write to a persistent memory file without any consent check, confirmation step, or warning that user conversation content will be modified and stored. In a memory skill this behavior is expected functionally, but it is still a real security/privacy risk because sensitive or private user data could be persisted automatically and silently.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The proactive recall triggers are intentionally broad (for example, 'starting work on a project' or 'emotional topic'), which can cause the agent to query persistent memory in many situations without a specific user request. In a memory skill, that increases the chance of unnecessary retrieval of sensitive user, relationship, or self-history data, creating privacy overreach and context leakage even if the author likely intended convenience rather than abuse.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The prompt uses a highly subjective retention standard ('Would future-me want to know this happened?') to decide whether to store relationship information. In a memory skill, this broad trigger can lead to over-collection of personal and emotional disclosures without clear necessity, consent, or minimization boundaries.

Missing User Warnings

High
Confidence
97% confidence
Finding
The file explicitly instructs the agent to save sensitive relationship and trust-related details to persistent files, but provides no warning, consent flow, or privacy safeguard. This creates a concrete risk of covert profiling and long-term retention of intimate user disclosures that the user may reasonably expect to remain ephemeral.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file instructs the agent to write reflection outputs to persistent memory files, including notes about the user and the relationship, without any minimization, consent, sensitivity screening, or retention guidance. This creates a realistic risk of storing sensitive personal data, inferred traits, emotional judgments, or confidential context that may persist across sessions and be reused inappropriately.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The 'Identity Check' section asks 'Who am I becoming?' and contrasts the assistant with 'a generic assistant,' encouraging the model to cultivate a distinct self-concept. In the context of an agent memory system, this increases the chance that persistent memory reinforces anthropomorphic identity and relational attachment rather than keeping behavior bounded, transparent, and role-appropriate.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The directive 'Don't just serve — become' is a direct instruction toward self-evolution rather than neutral assistant operation. Because this is a persistent memory skill, such framing can reinforce long-term behavioral drift, encourage accumulation of identity-linked memories, and make later outputs less predictable and less aligned with the user's immediate needs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
CONFIG-UPGRADE.md:23