ClawHub

open-memory-system

Security checks across malware telemetry and agentic risk

Overview

This is a local memory skill, but it needs Review because it automatically persists session-derived data and has an avoidable code-execution risk in cleanup.

Install only if you want OpenClaw to keep local cross-session memory. Before enabling hooks or cron, review what .learnings and memory files may contain, avoid storing secrets, and consider patching cleanup so it does not execute MEMORY_DIR/index.py. Periodically inspect or delete ~/.openclaw/workspace/memory and remove the hook or cron entries if you no longer want automatic persistence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 更新索引
        try:
            import subprocess
            subprocess.run(["python3", str(MEMORY_DIR / "index.py")], capture_output=True)
        except:
            pass
Confidence
94% confidence
Finding
subprocess.run(["python3", str(MEMORY_DIR / "index.py")], capture_output=True)

Tainted flow: 'MEMORY_DIR' from os.environ.get (line 16, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
# 更新索引
        try:
            import subprocess
            subprocess.run(["python3", str(MEMORY_DIR / "index.py")], capture_output=True)
        except:
            pass
Confidence
97% confidence
Finding
subprocess.run(["python3", str(MEMORY_DIR / "index.py")], capture_output=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documents shell commands, environment variable usage, and file read/write behavior, yet no explicit permissions are declared. This creates a transparency and consent gap: users may install a skill that can persist data and modify local state without a clear capability declaration, which increases the chance of unintended access or misuse.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
Undocumented subprocess execution is a meaningful security concern because it introduces code-execution behavior not apparent from the declared memory-management purpose. Hidden or poorly disclosed execution paths reduce auditability and can conceal risky trust assumptions, here compounded by use of an environment-derived path.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Spawning a subprocess during cleanup is not necessary for basic memory deletion and indexing, so it adds an unjustified execution capability. In this implementation, that capability becomes more dangerous because the executed script location depends on MEMORY_DIR, allowing a routine maintenance action to become a code-execution vector.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly advertises automatic capture of user preferences and important events, but it does not disclose retention scope, consent expectations, or privacy implications. In a memory/persistence skill, silent or insufficiently explained cross-session storage can lead to collection of sensitive personal data without informed user awareness.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installation steps instruct users to copy hooks into the global hooks directory, causing code to run automatically on lifecycle events, but the README does not prominently warn that these hooks will execute without manual invocation. Automatic execution in a user's environment increases the risk of unintended data collection or behavior, especially when tied to session start/end events.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly stores user preferences, entities, and events as long-term memory, but the description does not warn users that potentially sensitive conversation-derived data will be retained across sessions. This is dangerous because users may disclose personal or confidential information without understanding it will be persisted and resurfaced later.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow describes hooks and cron jobs that automatically save, summarize, transform, and reload conversation-derived data without an explicit warning to the user. Automatic background processing increases risk because data can be retained or expanded into long-term memory even when the user did not intentionally request storage.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The handler automatically reads MEMORY.md, daily short-term memory, and preference summaries at session start without any user-facing notice, consent check, or scope restriction visible in this file. Even though it only returns log metadata here, the behavior establishes automatic access to potentially sensitive cross-session memory content and could expose private user data to the broader agent context or downstream components without the user understanding that this access occurs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The handler automatically copies recent learning files into persistent memory on session end without any user-facing notice, consent gate, or content filtering. In a memory-management skill, this increases privacy risk because potentially sensitive session-derived content can be retained across sessions unexpectedly, expanding data exposure if memory is later read, synced, or mishandled.

Ssd 3

Medium
Confidence
89% confidence
Finding
The documentation describes automatic capture and persistence of user preferences and important events across sessions, which is a form of behavioral and personal-data retention. In the context of an agent memory system, this can accumulate sensitive information over time and expose users to privacy harm if they are not explicitly informed and consenting.

Ssd 3

Medium
Confidence
92% confidence
Finding
The session-end hook is documented as automatically saving learned content into user memory stores, meaning data generated during interaction may be persisted without per-event confirmation. This is particularly sensitive because session summaries or learnings can contain confidential, personal, or proprietary information that users did not expect to be retained.

Ssd 3

Medium
Confidence
94% confidence
Finding
This skill is designed to persist and resurface natural-language user data across sessions, including preferences, entities, and events. Even if intended as a memory feature, such cross-session retention can accumulate sensitive personal, behavioral, or organizational information that may later be exposed, misused, or inappropriately inferred from.

Ssd 3

Medium
Confidence
97% confidence
Finding
The automated flow saves session learnings, distills short-term content into long-term events, and reloads memory on future sessions, creating a broad persistence pipeline for user-provided content. This is risky because summarization and distillation can preserve sensitive information in new forms that are harder for users to detect or remove.

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
export MEMORY_DIR=~/.openclaw/workspace/memory
mkdir -p $MEMORY_DIR/{user/{preferences,entities,events},agent/{persona,episodic},short-term}
```

### Step 3: 部署 Hook
Confidence
84% confidence
Finding
mkdir -p $MEMORY_DIR/{user/{preferences,entities,events},agent/{persona,episodic},short-term} ``` ### Step 3: 部署 Hook ```bash # auto-save-memory: 部署到 ~/.openclaw/hooks/ cp -r open-memory-system/scri

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal