Auto Memory

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it stores chosen files or memories on a public permanent storage network, which is useful but risky for sensitive data.

Install only if you want an agent to upload selected memories or files to effectively permanent, public-by-default decentralized storage. Do not upload secrets, private keys, tokens, regulated data, proprietary material, or personal information unless it has been minimized and protected, such as with client-side encryption. Treat the AUTO_DRIVE_API_KEY and any head CID as sensitive, and confirm the exact content before any save or recall operation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Intent-Code Divergence

Low

Confidence: 84% confidence
Finding: The comment states the default state-file path is trusted, but it is derived from OPENCLAW_WORKSPACE, which is fully attacker-controlled in many automation contexts. Because the default path skips the stricter validation applied to explicit --state-file, a malicious environment can redirect writes to unintended files under the current user's permissions.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger guidance includes broad phrases such as 'save memory', 'remember this permanently', and 'checkpoint', which are common in normal conversation and could cause the skill to activate unintentionally. In this skill's context, accidental activation is especially risky because it can lead to irreversible upload of user data to a permanent public network.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The document states that uploaded content is permanent, publicly retrievable, and cannot be deleted, but it does not prominently warn users not to store secrets, personal data, or sensitive agent memory. In the context of an 'indestructible agent memory' skill, this is especially dangerous because agents may persist credentials, internal reasoning, user data, or decision history to irreversible public storage, creating lasting confidentiality and privacy breaches.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The document encourages use of permanent, decentralized storage and API-key-based access but does not clearly warn that uploaded data may be effectively irreversible and inappropriate for secrets, personal data, or sensitive agent context. In a memory skill, this omission is more dangerous because users may store conversational history, identity, or decision records that can contain credentials, private data, or regulated information they cannot later delete.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The function sends the provided API key to a remote verification endpoint immediately, with only a generic 'Verifying API key...' message and no explicit consent or warning that the secret will be transmitted off-host. While verification is expected for this skill's purpose, silently transmitting credentials to a third-party service can surprise users and increases the risk of accidental disclosure if the endpoint, network path, or operator is not trusted.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This code packages the provided input and uploads it to a remote service, but the script does not present a strong runtime disclosure or confirmation before transmitting potentially sensitive content. In an agent skill context, this is significant because arbitrary memory, prompts, or local file contents may be persisted off-host without the operator fully realizing it.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script collects an API key and persists it to local configuration files, but it does not explicitly warn the user that the credential will be stored on disk or describe the security implications. While storing service credentials locally can be expected for setup workflows, silently persisting secrets increases the chance of accidental exposure through weak file permissions, backups, dotfile sync, or shared multi-user systems.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill is designed to persist agent decisions, identity, and context permanently and reconstruct them later from a CID. Storing this class of information on immutable public infrastructure creates severe privacy, data-minimization, and consent risks because sensitive context, personal data, or internal reasoning may be uploaded and can never be meaningfully deleted.

Ssd 3

High

Confidence: 96% confidence
Finding: The usage guidance encourages storing data permanently whenever a user asks for it, without requiring validation that the content is safe for irreversible public publication. This increases the chance that users or downstream agents will upload confidential files, personal information, or proprietary context to immutable storage with no practical recovery path.

Ssd 3

High

Confidence: 95% confidence
Finding: Describing recall as reconstruction of full agent history from a single CID encourages aggregation and reuse of large amounts of prior context from immutable storage. This magnifies privacy and security risk because one disclosed CID may expose an extensive historical chain of decisions, notes, and potentially sensitive data, not just a single record.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The narrative promotes restoring whatever was saved, including identity and context, after total local state loss. While framed as resilience, this encourages over-collection and long-term retention of broad agent and user context, which becomes dangerous in a public immutable system because accidental or excessive capture cannot be revoked.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal