ClawHub

Lily Memory Plugin

Security checks across malware telemetry and agentic risk

Overview

This memory skill mostly does what it says, but it can automatically alter OpenClaw session files on startup without a clear opt-in or prominent disclosure.

Install only if you want durable agent memory and are comfortable with automatic recall into future prompts. Before enabling, review the session auto-reset behavior, keep Ollama pointed at a trusted local endpoint or disable vectorSearch, consider disabling autoCapture for sensitive work, and avoid running the live-db smoke tests against real personal memory data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises persistent memory features that inherently require filesystem access and optional network access to Ollama, but the manifest does not clearly declare those capabilities or warn about them. Undeclared network and shell-capable behavior reduces operator visibility and can bypass expected trust boundaries, especially for an agent plugin that auto-processes conversation content.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is memory storage and retrieval, but the finding indicates the skill also reads and modifies session metadata, resets session state, creates backup/alert files, and exposes security logging behavior outside the described memory database scope. Hidden or underdocumented modification of agent session state is dangerous because it can alter execution context, destroy state integrity, and create persistence or tampering channels beyond what an operator consented to.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The module reads agent-wide session metadata from a fixed path in the user's home directory, estimates token usage from referenced session files, and automatically renames and clears session state when a threshold is exceeded. Even if intended as maintenance, this exceeds a memory plugin's stated scope and gives the skill the ability to alter other agent session state without user approval, creating integrity and availability risk through unexpected session resets or loss of active context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises automatic capture of conversation content and automatic reinjection of stored memories, but it does not clearly warn users that potentially sensitive prompts, responses, and derived facts may be persisted across sessions. In a memory plugin, silent persistence changes the trust boundary and can expose secrets, personal data, or prior conversation content to later prompts, users, or tools without informed consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The semantic search documentation describes Ollama-based embedding of query or memory content without clearly warning that conversation-derived text may be transmitted to an embedding service endpoint configured by ollamaUrl. Even if intended for localhost, the setting is configurable and could point to a remote service, creating an unannounced data disclosure path for sensitive memory contents.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill prominently describes auto-recall and auto-capture, but it does not clearly warn users that conversation content may be automatically extracted and stored in persistent memory across sessions. In a memory plugin, silent retention of potentially sensitive prompts, secrets, or personal data materially increases privacy and data retention risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation mentions optional Ollama semantic search but does not clearly state that memory text may be sent over HTTP to an embedding endpoint for processing. Even if Ollama is local by default, this still expands the data exposure surface and may become remote if the URL is changed or forwarded.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
When vector search is enabled, the plugin contacts an Ollama service and may backfill embeddings for existing memory entries, but this file provides no consent gate, disclosure, or clear indication to users that persistent memory content may be transmitted over HTTP to another service. In a memory plugin, stored data can include sensitive conversation-derived facts, so silent network transmission increases privacy and data-handling risk even if the default target is localhost.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The memory_store tool sends stored fact content to the embedding service via storeEmbedding after persistence, meaning user-supplied memory values are transmitted off the local database path without explicit disclosure in the tool behavior. Because this tool is meant to hold durable facts, it can easily contain personal, operational, or secret data that should not be forwarded to an external or even separate local service silently.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Auto-captured conversation content is converted into new memory items and then batch-sent to the embedding service, which can expose excerpts derived from chat messages without users realizing their conversation content is being forwarded for semantic indexing. In this skill's context, auto-capture materially increases danger because sensitive prompts, preferences, system details, and other durable memories may be transmitted automatically and repeatedly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code unconditionally wraps and returns a persistent memory block marked as auto-injected, but it does not provide a clear user-consent or disclosure mechanism before potentially sensitive stored memories are inserted into model context. In a memory plugin, this increases the chance that prior personal data, preferences, or other retained facts are exposed to downstream prompts, tools, logs, or model providers without the user's awareness.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The security logger persists `fact_value` and `source_snippet`, both derived from potentially untrusted user/tool/web content, into the database with only length truncation and no masking, minimization, or consent boundary. In a memory plugin, those fields can easily contain secrets, personal data, prompt content, or other sensitive material, so a later DB read, backup, crash report, or compromise would expose data that did not need to be retained in full for auditing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code performs automatic backup-and-reset of session files and deletes session bookkeeping fields without any confirmation, dry-run mode, or clear operator warning. This can abruptly invalidate running sessions and erase continuity, which is dangerous in a plugin context because it silently changes agent state outside the user's immediate control.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The harness creates, modifies, inserts into, and deletes from a persistent database in ~/.openclaw/memory rather than using an isolated temporary test database. In a memory plugin context, that can corrupt or pollute real agent state, trigger unexpected side effects via triggers/FTS tables, and cause silent integrity or privacy issues for the user's long-lived data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This smoke test is explicitly designed to run against a LIVE database and performs queries against a hard-coded user database path, including validation of real contents and a final integrity check. Although most writes are directed to a temporary smoke database, the test still operates on production-like state without strong safeguards, and the header warning is not sufficient protection at the operation site; this creates real risk of accidental misuse, privacy exposure, or future drift into destructive live-db writes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal