Tiered Memory

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local memory archiver for OpenClaw, but users should understand that it can process and retain sensitive memory data long term.

Install this only if you want OpenClaw memory files archived and retained. Before enabling the cron job, run --dry-run, review what files will be processed, and decide whether long-term SQLite storage is acceptable. Use --skip-llm for sensitive workspaces or confirm your Ollama setup is local and trusted. Avoid running the curl | sh installer blindly; use a verified Ollama installation method where possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Rogue AgentSelf-Modification, Session Persistence

Findings (14)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill instructs users to run shell commands, create directories, and invoke local scripts, yet it declares no explicit permissions. This undermines informed consent and policy enforcement because users and platforms cannot easily see that the skill needs shell execution and filesystem access before installation or use.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented behavior overstates safe/expected functionality and omits material implementation details such as subprocess-based Ollama invocation, direct archive querying, and non-semantic recent-tier search. Description-behavior mismatch is dangerous because users may authorize the skill under false assumptions about data handling, search guarantees, and external model interaction.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The script sends archived memory content to an external local model process via the ollama CLI, but this capability is not clearly disclosed in the stated skill behavior. Even though the model is local, this expands the trust boundary and may expose sensitive memory contents to another process, logs, model storage, or future remote-backed configurations without user awareness.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README instructs users to enable automatic archiving and LLM summarization of memory files, but it does not clearly warn that potentially sensitive agent memory will be moved, transformed, and stored long-term. In a memory-management skill, this increases the risk of unintentional retention or disclosure of secrets, personal data, or internal prompts because users may deploy it without understanding the data lifecycle.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill recommends a daily cron job that automatically archives and moves memory files on a schedule, but it does not prominently warn that user data will be modified without interactive confirmation. Scheduled modification of memory/history increases the risk of silent data movement, operational surprise, and loss of expected access patterns.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The metadata and quick-start text mention LLM summarization but do not clearly warn that memory contents may be transmitted to or processed by an Ollama-served model. Even if Ollama is local, memory data may include sensitive information, and users should be told exactly what content is exposed to model processing.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The guide states that `MEMORY.md` and `memory/*.md` are automatically indexed into a semantic search system, but it does not warn that these files may contain secrets, personal data, internal notes, or other sensitive content that will be embedded and made retrievable through search. In a memory-management skill, this omission is more dangerous because the feature is specifically designed to centralize and retain agent context, increasing the chance that sensitive material is ingested and later surfaced to prompts, logs, or downstream components.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Memory file contents are forwarded verbatim to a model process for summarization without an explicit user warning or consent flow. Because these files may contain secrets, personal data, or agent operational context, undisclosed transmission to another process materially increases privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The script moves memory files out of their original location automatically after archiving, which is a destructive filesystem change that can affect agent behavior, auditability, and recovery if users did not expect it. In a memory-management skill this behavior is contextually relevant, but the lack of explicit confirmation, backup verification, or transactional rollback still makes it risky.

Session Persistence

Medium

Category: Rogue Agent
Content: ```bash # Add to crontab - runs daily at 2 AM crontab -e # Add this line: 0 2 * * * /usr/bin/python3 ~/.openclaw/skills/tiered-memory/scripts/memory_archiver.py --days 14 >> ~/.openclaw/workspace/memory/archive.log 2>&1
Confidence: 90% confidence
Finding: crontab -e

Session Persistence

Medium

Category: Rogue Agent
Content: ```sql -- Archived sessions with summaries CREATE TABLE archived_sessions ( id INTEGER PRIMARY KEY AUTOINCREMENT, source_file TEXT NOT NULL, session_date DATE NOT NULL,
Confidence: 87% confidence
Finding: CREATE TABLE archived_sessions ( id INTEGER PRIMARY KEY AUTOINCREMENT, source_file TEXT NOT NULL, session_date DATE NOT NULL, summary TEXT NOT NULL, key_facts TEXT, -- JSON ar

Session Persistence

Medium

Category: Rogue Agent
Content: ```bash # Add to crontab crontab -e # Add this line for daily 2 AM archive 0 2 * * * /usr/bin/python3 ~/.openclaw/skills/tiered-memory/scripts/memory_archiver.py --days 14 >> ~/.openclaw/workspace/memory/archive.log 2>&1
Confidence: 87% confidence
Finding: crontab -e

External Script Fetching

High

Category: Supply Chain
Content: ```bash # For LLM-powered summarization curl -fsSL https://ollama.com/install.sh | sh ollama pull qwen2.5-coder:14b ```
Confidence: 98% confidence
Finding: curl -fsSL https://ollama.com/install.sh | sh

Chaining Abuse

High

Category: Tool Misuse
Content: ```bash # For LLM-powered summarization curl -fsSL https://ollama.com/install.sh | sh ollama pull qwen2.5-coder:14b ```
Confidence: 99% confidence
Finding: | sh

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal