Security audit

Graph-RAG Memory

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local memory tool, but it persistently ingests workspace data, changes OpenClaw behavior, and starts background refresh code with weak consent and review boundaries.

Review carefully before installing. Use --dry-run first, back up ~/.openclaw/openclaw.json, avoid broad workspace seeding until you have reviewed and minimized the files, exclude secrets and personal data, and do not start the daemon or silent cron until the referenced memory-upgrade runtime files are present and reviewed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The installation instructions fetch and execute a remote bootstrap script via curl, then install packages at runtime. This is a supply-chain risk because it trusts live network content during execution; if the remote script or transport path is compromised, arbitrary code could run in the agent environment.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The installer fetches get-pip.py from the network with curl and immediately executes it with python3, creating a direct remote code execution path if the download is tampered with, redirected, or served maliciously. In an installer that is expected to run with the user's privileges and modify the local environment, this is especially dangerous because it expands trust to unauthenticated runtime-fetched code.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrases are broad enough that the skill may activate on common memory-related language, causing unintended invocation of a capability that can persist and query data. In this context, accidental activation is more dangerous than usual because the skill handles long-term memory ingestion and retrieval across workspace content.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill is designed to ingest conversations, documents, notes, and workspace files into persistent memory, but it does not prominently warn about persistence, retention scope, or privacy implications. This can lead to sensitive data being stored long-term without informed consent, especially when coupled with broad triggers and workspace-wide ingestion scripts.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation instructs users to seed the memory graph from their memory files but does not warn that those files may contain sensitive personal, proprietary, or regulated data that will be persistently stored and made queryable. In this skill’s context, the omission is more dangerous because the system is explicitly designed for long-term retention and retrieval, increasing the chance of unintended exposure, over-collection, or later misuse of ingested data.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script downloads bootstrap code from bootstrap.pypa.io and executes it without any integrity verification or prominent warning, so a compromised network path, mirror, or trust boundary could lead to arbitrary code execution. Because this is part of a persistence-oriented memory system installer that also patches configs and starts daemons, successful exploitation would give an attacker a strong foothold in the agent environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal