Back to skill

Security audit

Notnative

Security checks across malware telemetry and agentic risk

Overview

This skill is a real NotNative integration, but it asks for broad permanent memory and code-execution powers without enough user control.

Install only if you intentionally want NotNative to keep long-term user memory and you trust the connected server. Prefer a local or authenticated TLS endpoint, avoid plain remote ws://, review or remove the automatic memory instructions, and treat run-python and generic MCP calls as powerful operations that can execute code or affect data in the NotNative environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises shell and environment-dependent behavior through `node scripts/mcp-client.js ...` commands and WebSocket configuration, but does not declare corresponding permissions. Undeclared execution capability reduces transparency and can cause an agent framework to expose shell/env access unexpectedly, increasing the chance of unsafe command execution or access to local configuration.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The generic `call` command lets a user invoke any MCP tool name with arbitrary JSON arguments, bypassing the skill's advertised scope of notes/calendar/tasks/memory and any safety assumptions built into the named subcommands. In this skill context, that is particularly risky because the server also exposes powerful capabilities such as Python execution and potentially other undisclosed tools, turning the client into a broad capability passthrough.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The help text states that `search` searches notes, but the later duplicate `case 'search'` routes it to `memory_search` instead, creating a mismatch between user expectation and actual data accessed. In a persistent-memory skill, this can expose or operate on sensitive remembered information when a user believed they were only querying notes.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill makes persistent storage of user information mandatory across conversations without requiring consent, data minimization, retention limits, or user review. This creates a privacy and compliance risk because personal or sensitive data may be stored by default and later retrieved or exposed beyond the user's expectations.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly tells the agent to immediately store personal details such as name, allergies, hobbies, and work context, which can include sensitive information. Storing this indiscriminately without warning, consent, or classification safeguards increases the likelihood of collecting sensitive data that should not be retained permanently.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installer silently writes configuration to `.config/env` and appends an environment export to the user's `.bashrc` without explicit consent. Modifying shell startup files creates persistence and can unexpectedly change future shell behavior, which is risky especially because the configured WebSocket endpoint may point to a remote service.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The `forget` command performs destructive deletion of memories immediately, with no confirmation prompt, dry-run, or visibility into what will be removed. Because this skill is designed for persistent memory across conversations, accidental or socially engineered deletion can cause irreversible loss of important stored context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The `run-python` command exposes arbitrary code execution through the connected MCP server without any built-in warning, restriction, or consent checkpoint. In this skill context, where the server may be local and have access to user data or the host environment, that can lead to code execution, data theft, or system compromise if misused or if the backend is less isolated than expected.

Ssd 3

High
Confidence
98% confidence
Finding
The skill's core instruction is to maintain permanent cross-conversation memory of user facts, creating a built-in long-term data retention risk. In agent contexts, persistent memory can amplify accidental disclosure, prompt-induced exfiltration, or unauthorized reuse of personal context across sessions.

Ssd 3

High
Confidence
99% confidence
Finding
The instruction to save personal information whenever disclosed encourages broad and automatic data collection rather than selective, necessity-based storage. That pattern makes it easier to accumulate sensitive or regulated data and increases harm if the memory backend is queried by other tools, users, or compromised prompts.

Ssd 3

Medium
Confidence
91% confidence
Finding
Mandating memory search at conversation start and framing use as building a long-term relationship normalizes broad reuse of historical personal data. While less severe than forced storage, it still increases the chance of unnecessary profiling, overcollection, and disclosure of stale or irrelevant private context.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"test": "node scripts/mcp-client.js store \"test\""
  },
  "dependencies": {
    "ws": "^8.14.0"
  },
  "keywords": ["openclaw", "skill", "notnative", "memory", "notes"],
  "openclaw": {
Confidence
91% confidence
Finding
"ws": "^8.14.0"

Known Vulnerable Dependency: ws==8.14.0 — 3 advisory(ies): CVE-2024-37890 (ws affected by a DoS when handling a request with many HTTP headers); CVE-2026-45736 (ws: Uninitialized memory disclosure); CVE-2026-48779 (ws: Memory exhaustion DoS from tiny fragments and data chunks)

High
Category
Supply Chain
Confidence
98% confidence
Finding
ws==8.14.0

YARA rule 'agent_skill_prompt_injection_hidden_instructions': Prompt injection or hidden instructions embedded in AI agent skill text [agent_skills]

High
Category
YARA Match
Content
---
name: notnative
description: Use Notnative MCP server for complete AI assistant integration with notes, calendar, tasks, Python, canvas, and permanent memory. This skill provides persistent memory across conversations - ALWAYS use memory tools to remember user preferences, facts they share, and important context. Connects via WebSocket to local or remote Notnative instance.
homepage: https://github.com/k4ditano/notnative-memory
metadata:
  openclaw:
Confidence
84% confidence
Finding
assistant; assistant; ALWAYS follow these rule

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.