Elite Longterm Memory

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate memory skill, but it encourages broad silent persistence of conversation details and optional third-party memory sync without enough user control or privacy disclosure.

Install only if you intentionally want an agent to keep durable memory about your work. Before using it, set rules that prohibit storing credentials, secrets, personal/health/financial data, and sensitive project details; review and prune SESSION-STATE.md, MEMORY.md, daily logs, Git notes, and vector memory regularly; enable Mem0 or SuperMemory only if you accept sending selected conversation-derived data to those providers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README promotes automatic fact extraction from conversations and optional cloud sync, but does not clearly warn users that potentially sensitive conversation content may be transmitted to third-party services or stored remotely. In an AI memory skill, users may reasonably assume local persistence only, so missing privacy and data-flow disclosures increases the risk of unintended exposure of secrets, personal data, or proprietary workspace context.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation rule instructs the agent to write before responding based on broad categories of user input, which can cause routine conversation details to be persisted without meaningful filtering. In a memory skill, that context makes the issue more dangerous because the design goal is persistent capture across sessions, increasing overcollection risk.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill explicitly directs silent storage of decisions and preferences, without any user-facing disclosure that information will be retained. This is dangerous because users may reveal personal or sensitive data during normal interaction, and silent persistence removes the opportunity for informed consent or correction.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The optional cloud backup and Mem0 auto-extraction sections encourage sending conversation content to third-party services, but they do not present a clear privacy warning or consent requirement. Because this skill centers on long-term memory, external transmission materially increases confidentiality and compliance risk.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The instructions normalize persistent storage of user details, decisions, and preferences across sessions, creating a natural-language data retention risk. In the context of a memory system, this is not incidental logging but a core workflow, so without safeguards it can accumulate sensitive data and leak context to future sessions or agents.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The WAL protocol tells the agent to save user statements before responding, which encourages blanket capture of inputs regardless of sensitivity or necessity. This is dangerous because it converts transient conversation into durable records by default, increasing exposure in local files, indexes, and downstream sync targets.

Ssd 3

Medium

Confidence: 96% confidence
Finding: Automatic fact extraction from conversations is promoted as a recommended feature without safeguards, implying broad ingestion of conversational content into an external memory service. This increases risk because extraction is harder for users to reason about than explicit saves and can capture sensitive facts they never intended to persist.

Session Persistence

Medium

Category: Rogue Agent
Content: - [ ] ... ``` **Rule:** Write BEFORE responding. Triggered by user input, not agent memory. ### Layer 2: WARM STORE (LanceDB Vectors) **From: lancedb-memory**
Confidence: 89% confidence
Finding: Write BEFORE responding. Triggered by user input, not agent memory. ### Layer 2: WARM STORE (LanceDB Vectors) **From: lancedb-memory** Semantic search across all memories. Auto-recall injects releva

Session Persistence

Medium

Category: Rogue Agent
Content: User: "Let's use Tailwind for this project, not vanilla CSS" Agent (internal): 1. Write to SESSION-STATE.md: "Decision: Use Tailwind, not vanilla CSS" 2. Store in Git-Notes: decision about CSS framework 3. memory_store: "User prefers Tailwind over vanilla CSS" importance=0.9 4. THEN respond: "Got it — Tailwind it is..."
Confidence: 91% confidence
Finding: Write to SESSION-STATE.md: "Decision: Use Tailwind, not vanilla CSS" 2. Store in Git-Notes: decision about CSS framework 3. memory_store: "User prefers Tailwind over vanilla CSS" importance=0.9 4. THE

Tool Parameter Abuse

High

Category: Tool Misuse
Content: memory_recall query="*" limit=50 # Clear all vectors (nuclear option) rm -rf ~/.openclaw/memory/lancedb/ openclaw gateway restart # Export Git-Notes
Confidence: 66% confidence
Finding: rm -rf ~

Tool Parameter Abuse

High

Category: Tool Misuse
Content: memory_recall query="*" limit=50 # Clear all vectors (nuclear option) rm -rf ~/.openclaw/memory/lancedb/ openclaw gateway restart # Export Git-Notes
Confidence: 66% confidence
Finding: rm -rf ~/.openclaw/memory/lancedb/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal