ClawHub

OpenClaw Advanced Memory

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local memory skill, but it enables always-on transcript capture and long-term searchable retention with limited user control or safeguards.

Install only if you intentionally want always-on local memory over OpenClaw conversations. Before enabling it, restrict Redis and Qdrant to trusted local access, review the systemd and cron changes, decide which sessions or channels should be captured, add redaction for secrets and personal data, and define a way to delete or disable warm and cold memories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (13)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README clearly promotes persistent capture, storage, and recall of user conversations without any prominent privacy warning, consent guidance, or retention-risk disclosure. In an agent skill, this creates a real privacy/security issue because operators may enable broad transcript collection and long-term storage of sensitive user, business, or credential-adjacent data by default.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly describes persistent multi-tier memory, including nightly extraction of long-term 'gems' stored forever, but it does not present a clear user-facing warning about ongoing capture, processing, retention periods, or indefinite storage. This can cause users to disclose sensitive information under the false assumption of ephemeral chat behavior, creating privacy, consent, and data-governance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The setup instructions mention running an installer, but the warning that it installs a systemd service and cron jobs appears only afterward and is not presented as a clear pre-installation disclosure. Users may execute the installer without realizing it creates continuously running and scheduled background processes that monitor transcripts and process data automatically.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The prompt explicitly instructs the agent to extract and retain long-term memory about people, including contacts, relationships, preferences, and business/customer events, but provides no privacy notice, consent boundary, minimization rule for personal data, or sensitivity exclusions. In a memory-curation context this increases the chance of silently persisting personal or sensitive information from conversations beyond user expectations, creating privacy, compliance, and downstream misuse risks.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The installer makes persistent changes to the user's environment by installing and starting a systemd user service, modifying crontab, and creating executable helper scripts without any explicit confirmation, dry-run mode, or uninstall guidance. Even if intended for legitimate setup, silently establishing persistence increases risk because users may not realize background tasks will continue running and can process data or execute code after installation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script continuously ingests conversation transcript content and pushes it into Redis without any consent check, privacy notice, or runtime warning that user messages are being buffered elsewhere. Because transcripts may contain secrets, personal data, or cross-context conversations, silently replicating them to a central store increases the chance of unauthorized retention, access, and secondary use.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The code is explicitly designed to monitor all active OpenClaw session transcripts from a hard-coded session directory and aggregate their contents into Redis. In this skill context, that broad collection behavior is more dangerous because it can capture unrelated conversations across channels such as main, slack, discord, and cron without scoping, segregation, or user approval, creating a cross-context surveillance and data leakage risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends full warm-memory conversation transcripts to an LLM service over HTTP without any consent, disclosure, or minimization controls in this file. Even though the endpoint is configured as localhost, this still constitutes external processing of potentially sensitive memory data and becomes riskier if Ollama is exposed, proxied, logged, or reconfigured to a non-local host.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script automatically deletes warm memories older than 7 days as part of routine execution, which is a destructive operation with no confirmation, backup, dry-run mode, or visible disclosure in this file. Misconfiguration, clock issues, or operator misunderstanding could cause unintended data loss, especially because the job runs unattended via cron.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script returns memory records that can include sensitive fields such as people, session_id, channel, context, and free-text content, and exposes them directly via terminal and JSON output with no access control, redaction, or privacy notice. In a memory-recall tool, broad search over personal or organizational history can enable unintended disclosure of sensitive internal information to anyone who can run the script.

Ssd 3

Medium
Confidence
97% confidence
Finding
This skill is designed to persistently capture full conversation content for later search and summarization, which can include secrets, personal data, internal decisions, and regulated information. Even if intended as a memory feature, broad transcript retention materially increases the blast radius of any compromise and can violate least-collection and data-minimization principles.

Ssd 3

Medium
Confidence
96% confidence
Finding
The curation stage explicitly instructs an LLM to extract and permanently store people information, business details, decisions, and lessons from conversations. That turns transient chat into durable structured intelligence, making sensitive personal and organizational knowledge easier to search, aggregate, exfiltrate, and misuse.

Ssd 3

Medium
Confidence
94% confidence
Finding
The examples and schema normalize storing named individuals, relationships, preferences, and project/business context as searchable long-term memory. This increases danger because it operationalizes profiling and cross-session aggregation, which can expose private attributes and strategic business context well beyond the original conversational context.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal