Back to skill

Security audit

Vta Memory

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local motivation tool, but it needs Review because it can scan chat transcripts, store excerpts and inferences, schedule recurring agent work, and inject generated state into future sessions.

Install only if you are comfortable with a local skill that can analyze OpenClaw session transcripts, keep reward-related excerpts and inferences, and let generated motivation state influence future sessions. Be especially cautious with --with-cron because it adds recurring agent work; review or disable the cron jobs and inspect the workspace memory files and brain-dashboard.html if sensitive conversations are present.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises shell, file read/write, and environment-dependent behavior but does not declare permissions or clearly scope those capabilities. This weakens user consent and review, especially because the skill installs cron jobs, writes persistent state, and influences future sessions through generated files.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior goes well beyond a simple reward system: it reads agent session transcripts, extracts conversation content into persistent files, installs scheduled jobs, and generates a browser-viewable dashboard using identity data. That mismatch can cause users to approve the skill without understanding that sensitive conversation data and identity metadata may be collected, persisted, and surfaced elsewhere.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The installer creates recurring cron-driven agent actions that go beyond one-time local setup by registering autonomous tasks with `openclaw cron add`. Even though the commands appear related to this skill’s maintenance, persistent scheduled agent actions expand the skill’s operational scope and can cause ongoing behavior without continued user review, which is risky in an agent environment.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The prompt requires running a preprocessing script over conversation history and then extracting reward-related interpersonal and behavioral signals into persistent memory. That creates a privacy-sensitive secondary use of conversation data that is broader than a simple 'reward/motivation' label suggests, and it does so without clear consent, minimization, or disclosure boundaries.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The script collects and renders hippocampus and amygdala data even though the skill is described as a VTA reward/motivation component. This creates unnecessary cross-skill data exposure in a generated HTML artifact, broadening access to memory and emotional-state information and violating least-privilege expectations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly states that `VTA_STATE.md` is auto-injected into every session, which implies persistent modification of the agent's session context without an explicit opt-in, warning, or clear description of trust boundaries. Automatically injecting mutable state into all future sessions can influence agent behavior in ways users may not expect, and in a 'motivation/reward' skill this is especially sensitive because the injected content is designed to shape priorities and actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill states that it generates VTA_STATE.md and that workspace markdown is auto-injected into sessions, but it does not present this as a clear security/privacy warning. Automatic context injection can persistently influence agent behavior across future sessions and may expose state derived from user interactions without sufficiently informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown instructs the agent to execute shell scripts that read conversation history and modify workspace memory/state files automatically, yet provides no warning, approval checkpoint, or safety constraints. This can cause silent persistent state changes and unintended data processing, especially if the scripts are triggered in routine operation without user awareness.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The prompt directs logging inferred rewards from conversation into persistent storage without making that persistence explicit in the skill description. Silent retention of inferred emotional or motivational data increases privacy risk and can surprise operators or users who do not expect conversational content to be transformed into long-lived state.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script persists transcript-derived message text into a workspace JSON file (`pending-rewards.json`) for later LLM analysis, which can include sensitive user or agent content. There is no consent prompt, minimization, redaction, retention control, or warning about persistence, so confidential data may be stored longer than expected and exposed to other local processes, backups, or users with access to the workspace.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.