心跳回忆

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local memory skill, but it stores and resurfaces personal conversation, goals, habits, and emotional history by default with broad triggers and limited consent controls.

Install only if you deliberately want OpenClaw to keep persistent local memories about your conversations, goals, habits, and emotions. Review the configuration first, consider disabling auto_record and heartbeat_recall, avoid storing secrets or highly sensitive personal information, and back up the memory directory before running reset or uninstall commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (20)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill documentation clearly instructs users to run shell commands and Python scripts that perform filesystem reads/writes, yet the skill declares no permissions. This creates a transparency and consent problem: users and hosting platforms cannot accurately assess what capabilities the skill needs, increasing the chance of over-trusting it and running code with broader access than expected.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill claims '100% local operation' and 'No API calls to external services' while also documenting automatic download of a model from ModelScope. This is a misleading security statement that can cause users to underestimate network exposure, supply-chain risk, and data egress opportunities during installation or first use.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The privacy/security section makes strong assurances of no external-service interaction, but other sections instruct users to install from GitHub and download models from external sources. Contradictory security claims erode informed consent and can hide dependency-fetching or update-channel risk that matters for a memory-focused skill handling sensitive user data.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The documented trigger phrases include generic commands such as 'save this' and 'help me recall', which are common in ordinary conversation and can cause unintended skill activation. In a memory system that records conversations and retrieves personal history, accidental activation can lead to over-collection of sensitive data or unsolicited recall of private content.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README advertises automatic recording, emotional analysis, habit learning, and exclusive long-term profiling, but does not present a prominent privacy warning, consent model, or data-handling limitations at the point these features are introduced. Even if processing is local, the skill handles highly sensitive behavioral and emotional data, so unclear disclosure increases the risk of users unknowingly storing intimate information.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases are broad everyday language such as 'save this' and 'help me recall,' which raises the likelihood of accidental activation during normal conversation. For a skill that stores long-term memories and profiles emotions, unintended triggering can lead to collection or resurfacing of sensitive information without clear user intent.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The description of 'smart triggering' and random insertion of memories during chats is ambiguous about when the skill activates and what data it may reuse. In a memory system dealing with personal history and emotions, unclear autonomous activation increases the risk of privacy violations, context leakage, and user surprise.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill describes automatic recording of conversations and emotion analysis without a prominent warning or explicit consent flow. Because this skill is designed to retain personal history over time, silent or poorly disclosed collection materially increases privacy risk and can capture sensitive data users did not expect to persist.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The configuration enables automatic memory recording by default, but the template does not define scope restrictions, consent gating, sensitivity exclusions, or trigger boundaries. In a long-term memory skill that stores user conversations locally, this can lead to over-collection of personal or sensitive data, creating privacy and data-minimization risks even without network exfiltration.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The heartbeat recall scenarios are broadly enabled with generic categories such as daily conversation, after task, forgotten goal, and special day, but the template does not define strict boundaries for what content may be surfaced or when. In a memory-recall system, broad automatic recall can unexpectedly resurface sensitive historical information in unrelated contexts, increasing privacy, safety, and user-trust risks.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The uninstallation section includes destructive `rm -rf` commands that permanently delete the skill directory and potentially user memory data. Although this is normal for uninstall documentation, it is still risky because users may run the commands without understanding that stored long-term memory content will be irreversibly lost.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The template defines very broad trigger phrases like "简单点", "直接给命令", and "不要解释" that can appear in ordinary conversation and may cause the skill to activate or alter behavior unexpectedly. In a memory/assistant skill, this can let stored preferences override current user intent, suppress safety-relevant context, or cause unplanned memory-guided responses in unrelated tasks.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The CLI prints retrieved memory content directly to stdout, which can disclose sensitive long-term memory entries such as personal notes, goals, emotional records, or prior session data to anyone with terminal access or to logging systems that capture console output. In this skill's context, the risk is elevated because the system is explicitly designed to store and recall potentially sensitive user memory data across multiple memory banks.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The skill is explicitly designed to retain, summarize, and organize conversations, goals, and emotional information across sessions. Even if storage is local, this creates a significant sensitive-data concentration risk: a compromise of the local account, backups, or the skill itself exposes a rich natural-language dossier of the user.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The heartbeat recall features normalize ongoing profiling of habits, emotions, and historical conversations for future use. This increases the chance that sensitive or embarrassing details are surfaced at the wrong time, revealed in shared environments, or reused in ways the user did not intend, especially because proactive recall is described as random/probabilistic.

Ssd 3

Medium

Confidence: 95% confidence
Finding: Stating that the system automatically records important conversations indicates background collection behavior tied to broad triggers rather than explicit, per-item consent. In the context of long-term memory storage, this can lead to overcollection of private information and creates a persistent repository that may later be queried or exposed.

Tool Parameter Abuse

High

Category: Tool Misuse
Content: **Issue: Vector database initialization fails** ```bash # Delete and recreate vector database rm -rf memory/vector_db python3 scripts/hbm_init.py ```
Confidence: 89% confidence
Finding: rm -rf memory/vector_db python3 scripts/hbm_init.py ``` **Issue: Configuration file not found** ```bash # Copy template configuration cp config/hbm_config_template.json config/hbm_config.json ``` ##

Tool Parameter Abuse

High

Category: Tool Misuse
Content: **Issue: Vector database initialization fails** ```bash # Delete and recreate vector database rm -rf memory/vector_db python3 scripts/hbm_init.py ```
Confidence: 89% confidence
Finding: rm -rf memory/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ```bash # 1. Remove the skill directory rm -rf ~/.openclaw/skills/heartbeat-memories # 2. Remove any memory data (optional, backup first) rm -rf ~/.openclaw/workspace/memory # If you used default location
Confidence: 95% confidence
Finding: rm -rf ~/.openclaw/skills/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: rm -rf ~/.openclaw/skills/heartbeat-memories # 2. Remove any memory data (optional, backup first) rm -rf ~/.openclaw/workspace/memory # If you used default location # 3. Remove Python packages (optional) pip uninstall chromadb sentence-transformers faiss-cpu
Confidence: 94% confidence
Finding: rm -rf ~/.openclaw/workspace/

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal