Back to skill

Security audit

Memory Pipeline

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for agent memory, but it can persist private conversation history and send workspace memory to external LLM providers with limited user control.

Install only if you are comfortable with workspace notes, session transcripts, imported ChatGPT conversations, identity/user files, and after-action summaries being stored locally and potentially processed by configured LLM providers. Use a dedicated API key, run dry-runs before imports, review generated memory files, avoid importing highly sensitive archives, and disable or tightly configure after-action persistence and transcript ingestion in sensitive environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (32)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation describes capabilities that read environment variables, read and write workspace files, and call external LLM/network services, but it does not declare permissions or present a clear trust boundary. This creates a real security issue because users and orchestration systems cannot accurately assess or constrain what the skill will access before installation or execution.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script searches environment variables and local config files for API credentials, then uses them to enable outbound LLM calls. In a memory/briefing skill, this expands behavior from local summarization into implicit external data processing without an explicit opt-in boundary, increasing the risk of unintended data disclosure.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The code assembles workspace memory contents, identity/personality files, user notes, todos, extracted facts, and recent notes into a prompt and transmits that prompt to third-party LLM APIs. This is a direct confidentiality risk because highly sensitive personal or project context can leave the local workspace without minimization, consent, or policy enforcement.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill encourages importing ChatGPT exports and writing them into persistent searchable memory without a prominent warning about privacy, retention, or secondary use in future sessions. Because exports can contain sensitive personal, professional, or regulated data, silent ingestion materially increases the chance of long-term overcollection and unintended disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup guide states that session transcripts are read from `~/.clawdbot/agents/main/sessions/*.jsonl`, but it does not clearly warn users that potentially sensitive transcript content may then be processed by scripts that depend on external LLM providers and embeddings APIs. This creates a real privacy and data-governance risk because users may enable the pipeline without informed consent about what local data is ingested and what may be transmitted to third-party services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script imports full ChatGPT exports and writes conversation contents directly to persistent markdown files without any warning, consent checkpoint, sanitization, or redaction step. ChatGPT exports often contain credentials, personal data, business secrets, or regulated information, so this creates a realistic confidentiality risk by proliferating sensitive content into a local searchable memory store.

Missing User Warnings

High
Confidence
99% confidence
Finding
Sensitive workspace context is sent to external APIs with no user-facing warning, consent prompt, or indication of the exact data categories being transmitted. Because this skill is specifically designed to aggregate memory and behavioral context across sessions, the content is more sensitive than ordinary text generation input and the lack of disclosure materially raises the privacy risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script silently accesses credentials from environment variables and local config files, which can surprise users who expect a local-only memory tool. While credential reading alone is not code execution, in this context it enables hidden capability escalation into outbound data transfer using whatever provider key happens to be present.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends conversation transcripts or memory notes to third-party LLM APIs for processing, but there is no explicit user consent flow, warning, or redaction step before transmission. Because these sources may contain sensitive personal, project, credential-adjacent, or proprietary information, this creates a real confidentiality risk rather than a purely informational issue.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script sends fact subject/content to OpenAI's embeddings API, which is an external third party, but it does so without any explicit consent prompt, warning, or filtering for sensitive memory contents. In a memory system that may ingest personal notes, chat exports, or other confidential data, this creates a real confidentiality risk through unannounced data disclosure.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The script automatically reads API credentials from environment variables or a file in the user's home directory without prominently disclosing that behavior. While common in developer tooling, hidden credential discovery increases surprise and can cause users to unknowingly authorize external data transmission when combined with the embedding request path.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The plugin automatically writes an after-action memory file at the end of every run using model output and tool-call data, without any visible consent, notice, or opt-in in this code path. In a memory/telemetry skill, this can persist sensitive user content, secrets from tool outputs, or operational metadata to disk unexpectedly, creating privacy and data-retention risk even if the feature is intended for productivity.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function persists conversation-derived content (`finalAnswer` summarized into bullets plus tool usage metadata) to a caller-specified file without any consent check, disclosure mechanism, or data-classification guard. In a memory-management skill, this is especially sensitive because outputs may contain user secrets, credentials, personal data, or proprietary context that become durably stored on disk and later re-ingested.

Ssd 3

Medium
Confidence
97% confidence
Finding
Persistently ingesting past conversations into memory and reusing them in future briefings creates a natural-language data retention and prompt leakage channel. Sensitive content from old chats may later be surfaced to the model or user in unrelated contexts, violating data minimization and potentially exposing secrets, personal data, or confidential business information.

Ssd 3

Medium
Confidence
96% confidence
Finding
The extraction and briefing stages explicitly process transcripts, personality data, user context, and project details, then inject that memory into future system prompts. This is dangerous because it turns prior sensitive content into privileged context that may influence or leak into later sessions, increasing blast radius across time and tasks.

Ssd 3

Medium
Confidence
94% confidence
Finding
The lifecycle hooks persist session summaries, tools used, and outcomes into durable memory for later reuse, which creates cumulative behavioral and data exposure over time. Even if individual entries seem harmless, repeated storage of operational details can reveal workflows, sensitive tasks, internal tooling, or confidential objectives when later retrieved or summarized.

Ssd 3

Medium
Confidence
98% confidence
Finding
The script deliberately bundles user context, personality, identity, todos, and memory artifacts into a startup briefing prompt for an external LLM. That creates a concentrated natural-language exfiltration channel where multiple sensitive data classes are aggregated and sent together, increasing both privacy impact and blast radius if mishandled.

Ssd 3

Medium
Confidence
97% confidence
Finding
The prompt construction directly embeds up to 8000 characters of source transcript or notes and forwards them to external model providers for extraction. In a memory-management skill, these inputs are especially likely to contain sensitive long-lived user context, making third-party disclosure materially risky.

External Transmission

Medium
Category
Data Exfiltration
Content
try:
        if provider == "openai":
            response = requests.post(
                "https://api.openai.com/v1/chat/completions",
                headers={
                    "Content-Type": "application/json",
Confidence
90% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
timeout=90
            )
        elif provider == "anthropic":
            response = requests.post(
                "https://api.anthropic.com/v1/messages",
                headers={
                    "Content-Type": "application/json",
Confidence
90% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
try:
        if provider == "openai":
            response = requests.post(
                "https://api.openai.com/v1/chat/completions",
                headers={
                    "Content-Type": "application/json",
Confidence
90% confidence
Finding
requests.post( "https://api.openai.com/v1/chat/completions", headers={ "Content-Type": "application/json", "Authorization": f"Be

External Transmission

Medium
Category
Data Exfiltration
Content
timeout=90
            )
        elif provider == "anthropic":
            response = requests.post(
                "https://api.anthropic.com/v1/messages",
                headers={
                    "Content-Type": "application/json",
Confidence
90% confidence
Finding
requests.post( "https://api.anthropic.com/v1/messages", headers={ "Content-Type": "application/json", "x-api-key": api_key,

External Transmission

Medium
Category
Data Exfiltration
Content
timeout=30
            )
        elif provider == "gemini":
            response = requests.post(
                f"https://generativelanguage.googleapis.com/v1beta/models/gemini-2.0-flash-lite:generateContent?key={api_key}",
                headers={"Content-Type": "application/json"},
                json={
Confidence
96% confidence
Finding
requests.post( f"https://generativelanguage.googleapis.com/v1beta/models/gemini-2.0-flash-lite:generateContent?key={api_key}", headers={"Content-Type": "application/jso

External Transmission

Medium
Category
Data Exfiltration
Content
try:
        if provider == "openai":
            response = requests.post(
                "https://api.openai.com/v1/chat/completions",
                headers={
                    "Content-Type": "application/json",
                    "Authorization": f"Bearer {api_key}"
Confidence
88% confidence
Finding
https://api.openai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
)
        elif provider == "anthropic":
            response = requests.post(
                "https://api.anthropic.com/v1/messages",
                headers={
                    "Content-Type": "application/json",
                    "x-api-key": api_key,
Confidence
88% confidence
Finding
https://api.anthropic.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.