OpenClaw Memory System

Security checks across malware telemetry and agentic risk

Overview

This is a coherent memory skill, but it installs persistent automation that reads session logs, rewrites memory files, and deletes some session files with weak user-control safeguards.

Review before installing. This does not look like malware or credential theft, but it will create scheduled background tasks, persist conversation-derived data into Markdown files, and delete some session logs. Install only in workspaces where that automation is acceptable, and consider disabling the GC task, adding dry-run/confirmation steps, and backing up the workspace first.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (15)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The prompt asserts a safety property ('do not overwrite, only append') but later instructs writing complete structured content to target files such as SESSION-STATE.md, which implies replacement unless explicit append/merge semantics are defined. This mismatch can mislead an agent or user into believing the migration is non-destructive, increasing the risk of accidental data loss or corruption in workspace memory files.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The document introduces an 'external todo sync' capability even though the rest of the architecture is framed as a local, file-based memory system. Adding outbound synchronization expands the trust boundary and can enable unintended data exfiltration, especially if L1 contains conversation-derived task data or sensitive notes.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly advertises that installation will automatically back up files, write multiple prompt/templates, initialize memory files, and register cron jobs, but it does not clearly warn users that running the install command changes persistent files and scheduled task state. In a prompt-driven agent skill, this matters because users may invoke a seemingly simple command without understanding the scope of host-side modifications, increasing the risk of unintended persistence, data exposure through archived conversation logs, or operational side effects from recurring jobs.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly documents an installation flow that writes multiple files, initializes persistent memory, and registers Cron jobs, but it does not prominently warn the user that invoking the command will modify the local filesystem and create scheduled background tasks. In an agent-skill context, this is security-relevant because users may trigger installation based on natural-language descriptions without appreciating the persistence and automation effects, increasing the chance of unintended system changes.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The migration flow reads backup data and appends transformed content into persistent memory files, but the documentation does not clearly warn that historical data will be ingested and local state will be modified. Although the flow claims append-only behavior and backup verification, silent or poorly disclosed data modification can still cause privacy issues, data pollution, or accidental propagation of stale/sensitive content.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This prompt instructs the agent to perform irreversible file deletions in a sessions directory, but it does not require an explicit user-facing confirmation or destructive-action warning before execution. In an agent-skill context, deleting session logs can remove audit history or user data, and the broad path construction plus automated scheduled cleanup increases the risk of accidental or overbroad deletion.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The install prompt instructs modification of existing workspace files, including prepending content to SESSION-STATE.md and creating or changing MEMORY.md, but it does not present a clear upfront warning that user data and workspace state will be altered before execution begins. Although a backup step exists, users may still consent without understanding the scope of modifications, which can lead to unintended data mutation or workflow disruption.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The prompt directs registration of recurring cron tasks that create persistent background behavior, but it does not provide a strong explicit warning upfront that the installation will modify scheduled task state on the system. Persistent automation can surprise users, consume resources, repeatedly touch files, and continue operating after the initial install, making the impact broader than a one-time file change.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The prompt explicitly instructs an automated cron-triggered process to overwrite `SESSION-STATE.md` based on parsed conversation logs, but it does not require user awareness, confirmation, backup, or any integrity safeguards before modifying persisted user data. In an agent setting, this can cause silent data loss, corruption of prior state, or persistence of manipulated summaries if logs contain adversarial or malformed content.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The prompt explicitly instructs overwriting SESSION-STATE.md to retain only a cursor, which is a destructive operation that can permanently erase active session data if the archive step is skipped, partial, or fails silently. Because this is framed as a routine automated nightly task, the risk is amplified: an agent may execute it without user confirmation, rollback, or integrity verification beyond informal checklist text.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The prompt explicitly instructs the agent to append derived content into `${WORKSPACE}/MEMORY.md`, which is persistent state, without any requirement for user confirmation, preview, or dry-run. This creates a real integrity risk: a routine analysis task can silently modify long-lived memory, introduce incorrect summaries, duplicate or poison future context, and make rollback difficult.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The migration instructions direct the agent to write or append into workspace state files and memory archives, but they do not prominently warn that existing workspace data will be modified as part of execution. In a prompt-driven agent setting, hidden or understated state-changing behavior is risky because users may invoke the skill expecting analysis-only behavior and instead trigger persistent changes.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The architecture describes persisting conversation-derived content across multiple files and retention layers without any visible notice, consent, or data-handling guidance. This creates privacy and compliance risk because users may reasonably assume chats are ephemeral while the system actually archives and extracts them into longer-lived storage.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The troubleshooting guide includes a direct `rm` command to delete files but does not warn that deletion is irreversible or instruct users to verify the target path before running it. In documentation for an agent skill, copy-pasted shell commands can be executed blindly, so even a nominally narrow delete command creates avoidable data-loss risk.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The manual GC section uses `find ... -delete` to remove session-related files, including path construction from `$(pwd)/../../agents/main/sessions/`, without a prominent warning about permanent session-data loss. Because the path is relative and destructive deletion is recursive over matching files, mistakes in working directory or assumptions about layout could lead to unintended removal of operational data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal