Back to skill

Security audit

RetainCraft — FSRS-5 Spaced Repetition AI Learning Tutor

Security checks across malware telemetry and agentic risk

Overview

RetainCraft is a coherent study assistant, but it can create persistent reminder/report jobs using auto-detected OpenClaw session routing data and stores learning history across local files and platform memory.

Install only if you are comfortable with RetainCraft storing study progress in ~/learn and possibly platform memory, using web search for learning content, and creating scheduled OpenClaw reminders/reports. Before enabling reminders, verify the exact channel and recipient, and remove the retaincraft-reminder and retaincraft-weekly-report cron jobs if you do not want ongoing messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if to_target:
        cron_args.extend(["--to", to_target])
    try:
        subprocess.run(cron_args, capture_output=True, text=True, timeout=30)
    except (subprocess.TimeoutExpired, FileNotFoundError):
        pass
Confidence
85% confidence
Finding
subprocess.run(cron_args, capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if to_target:
        cron_args.extend(["--to", to_target])
    try:
        subprocess.run(cron_args, capture_output=True, text=True, timeout=30)
    except (subprocess.TimeoutExpired, FileNotFoundError):
        pass
Confidence
85% confidence
Finding
subprocess.run(cron_args, capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cron_args.extend(["--channel", user_channel, "--to", user_to])

        try:
            result = subprocess.run(cron_args, capture_output=True, text=True, timeout=30)
            if result.returncode == 0:
                print(f"[OK] Learning reminder cron created (daily at {reminder_time}).")
                if user_channel:
Confidence
87% confidence
Finding
result = subprocess.run(cron_args, capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cron_args.extend(["--channel", user_channel, "--to", user_to])

        try:
            result = subprocess.run(cron_args, capture_output=True, text=True, timeout=30)
            if result.returncode == 0:
                print("[OK] Weekly report cron created (Sunday at 20:00).")
            else:
Confidence
87% confidence
Finding
result = subprocess.run(cron_args, capture_output=True, text=True, timeout=30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs the agent to perform file reads/writes under ~/learn/, execute Python scripts, and use reminder-related commands, but the frontmatter does not declare explicit permissions in a machine-enforceable way. This mismatch can cause platforms or users to grant broader access than intended or fail to present accurate consent prompts, increasing the risk of unauthorized filesystem or shell actions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The instruction to update both platform memory and files under ~/learn/ creates duplicate persistence of user learning data across two systems without any minimization, consent, or retention limits. That increases the chance of storing sensitive user goals, weaknesses, schedules, or study history in places the user does not expect, and broadens exposure if either store is later accessed by other skills, sessions, or operators.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code inspects OpenClaw session metadata and extracts both provider/channel and chat IDs to route notifications. In a learning assistant, that creates a privacy and integrity risk because internal session identifiers are treated as trusted routing data, enabling cross-session notification leakage or unintended disclosure of user activity.

Ssd 3

Medium
Confidence
94% confidence
Finding
Persisting user-provided learning data and memory across sessions creates a real data-retention risk because study topics, deadlines, weaknesses, and free-text reflections can contain personal or sensitive information. Natural-language memory is especially risky because it tends to accumulate more context than necessary and may later be surfaced in unrelated interactions.

Ssd 3

Medium
Confidence
96% confidence
Finding
The cross-session memory design instructs the assistant to read prior notes, profile data, and topic files to reconstruct context. Without strict scoping, this can overexpose old user data to future sessions, increase the blast radius of prompt injection from stored notes, and reveal more personal context than is necessary for the current learning task.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.