ClawHub
Back to skill

Security audit

Holistic Memory System v5 [BETA]

Security checks across malware telemetry and agentic risk

Overview

This is a real memory-system skill, but it needs Review because it can create long-running host jobs and persist or sync user memory with weak privacy controls.

Install only if you explicitly want an always-on memory layer. Before running it, review the cron entries, avoid the `install` cron command and @reboot startup unless you need them, keep Syncthing/SSH sharing disabled until peers and folders are trusted, and define what data may be logged, retained, deleted, or excluded from memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (33)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
elif cmd not in crontab_new:
            crontab_new += cmd + "\n"
    
    subprocess.run(["crontab", "-"], input=crontab_new, text=True)
    return True

def handle_memory_event(event: str):
Confidence
96% confidence
Finding
subprocess.run(["crontab", "-"], input=crontab_new, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def handle_memory_event(event: str):
    """Handle memory system events triggered by cron/system"""
    if event == "__ezekiel_nebula_decay__":
        result = subprocess.run(
            ["python3", str(SCRIPTS_DIR / "ezekiel_nebula.py"), "decay"],
            capture_output=True, text=True
        )
Confidence
83% confidence
Finding
result = subprocess.run( ["python3", str(SCRIPTS_DIR / "ezekiel_nebula.py"), "decay"], capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return {"event": event, "result": result.stdout.strip() or "decay applied"}
    
    elif event == "__ezekiel_crystallize__":
        result = subprocess.run(
            ["python3", str(SCRIPTS_DIR / "ezekiel_crystallizer.py"), "crystallize"],
            capture_output=True, text=True
        )
Confidence
83% confidence
Finding
result = subprocess.run( ["python3", str(SCRIPTS_DIR / "ezekiel_crystallizer.py"), "crystallize"], capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return {"event": event, "result": result.stdout.strip() or "crystallization complete"}
    
    elif event == "__ezekiel_health_check__":
        result = subprocess.run(
            ["python3", str(SCRIPTS_DIR / "ezekiel_health_check.py")],
            capture_output=True, text=True
        )
Confidence
81% confidence
Finding
result = subprocess.run( ["python3", str(SCRIPTS_DIR / "ezekiel_health_check.py")], capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return {"event": event, "result": "health check completed"}
    
    elif event == "__ezekiel_log_check__":
        result = subprocess.run(
            ["python3", str(SCRIPTS_DIR / "ezekiel_log.py"), "query"],
            capture_output=True, text=True
        )
Confidence
80% confidence
Finding
result = subprocess.run( ["python3", str(SCRIPTS_DIR / "ezekiel_log.py"), "query"], capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def check_openclaw_memory():
    """Check OpenClaw memory index status"""
    try:
        result = subprocess.run(
            ["openclaw", "memory", "index"],
            capture_output=True, text=True, timeout=10
        )
Confidence
88% confidence
Finding
result = subprocess.run( ["openclaw", "memory", "index"], capture_output=True, text=True, timeout=10 )

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The document presents the skill as a local personal memory system, but it explicitly describes federation of learned data to other agents via Syncthing and use of shared knowledge stores. That mismatch is security-relevant because operators may grant the skill access under a narrower trust model than its actual data-sharing behavior warrants.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The report documents persistent cron jobs and a boot-time startup hook, but the skill is described primarily as a memory system rather than software that installs ongoing autonomous execution. Hidden persistence increases risk because it creates long-lived behavior that continues after the original invocation and can silently collect, process, or transmit data over time.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Cross-agent Syncthing federation is broader than what a personal memory skill would typically need, and the report does not explain strong necessity, boundaries, or trust assumptions for that sharing. Unjustified federation expands the attack surface and can enable unintended propagation of sensitive memory content across multiple agents and systems.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill installs and modifies system crontab entries, which is a host persistence mechanism. That is a sensitive capability not clearly required by the stated purpose of a memory system, and it creates ongoing autonomous execution that can survive beyond a single agent session.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The cron entries execute multiple local Python scripts and a startup shell script, giving the skill a general code-execution and boot-persistence mechanism. This significantly exceeds simple memory storage behavior and would let any compromise of those files become recurring host-level execution.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
A script presented as a health monitor should not perform side-effecting maintenance actions, yet this function executes a memory indexing command. In an autonomous agent environment, that mismatch is risky because operators may schedule or trust the script as a harmless check, while it can trigger additional processing, data ingestion, or network/API activity unexpectedly.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The top-level description claims the script only ensures layers are operational, but the implementation creates directories, writes a report file, and may trigger indexing. This documentation-to-behavior mismatch can cause unsafe deployment decisions because users may run or schedule the script under the assumption that it is non-invasive.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow describes automatic logging, indexing, vectorization, crystallization, and Syncthing sharing of message-derived content without any explicit warning, consent model, retention notice, or privacy safeguards. This is dangerous because ordinary interaction content may be persistently stored and redistributed, creating confidentiality, compliance, and data-governance risks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly promotes sharing memory facts via SSH/Syncthing, which can include user-derived or sensitive data, but provides no privacy notice, consent model, data classification guidance, or security requirements. In a memory system designed for persistent cross-agent synchronization, this omission meaningfully increases the risk of unintended disclosure and over-sharing.

Missing User Warnings

High
Confidence
98% confidence
Finding
This section explicitly instructs the system to log everything in raw JSONL and store it on persistent 'cold' storage, with no minimization, consent, retention limit, or handling guidance for sensitive data. In an agent memory skill, that creates a real privacy and data-exposure risk because user prompts, preferences, secrets, and identifiers may be retained indefinitely and later retrieved or leaked.

Missing User Warnings

High
Confidence
99% confidence
Finding
The design states that information should never be deleted and that latent details remain available for future resonance, which operationally encourages indefinite retention of personal data. In the context of a long-term autonomous memory system, this materially increases the chance of privacy violations, inappropriate resurfacing of sensitive history, and regulatory noncompliance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The anticipation section describes proactive inference from behavioral patterns without any warning, boundary, or opt-in for profiling. This is dangerous because it normalizes covert behavioral analysis and can lead the agent to infer preferences, routines, or sensitive traits beyond what the user intended to disclose for immediate use.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The blueprint explicitly states that everything should be recorded in cold storage forever, which creates a persistent privacy and retention risk. In an agent memory system, storing all interactions indefinitely without notice, minimization, consent, or deletion controls can expose sensitive personal or operational data long after the original interaction.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The reset procedure allows complete context clearing and selective reinjection, which can silently alter what the agent remembers during an active interaction. While this is primarily a reliability and transparency issue, it becomes security-relevant if important safety constraints, user instructions, or clarifications are dropped without warning.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The script writes a marker/config file under the user's home directory without an explicit warning or confirmation. This is a transparency and consent issue rather than a direct exploit, but it contributes to stealthy persistence and can surprise users about what state the skill creates.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script modifies the user's crontab and schedules recurring and boot-time execution without a clear user-facing warning. Hidden or poorly disclosed persistence is dangerous because it can keep running code after the user believes the skill is inactive.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function persists arbitrary interaction content and tags to a predictable file under the user's home directory, but the code and CLI usage provide no disclosure that supplied content will be written to disk. In an autonomous memory skill, inputs may contain prompts, secrets, personal data, or API-derived content, so silent persistence increases privacy and data-retention risk and can expose sensitive information to other local processes, backups, or later exfiltration.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script persists user-supplied intent/content/tags into ~/.openclaw/nebula/nebula.json without any consent flow, retention controls, or sensitivity filtering. In a memory-system skill, this is more dangerous because agents may store prompts, secrets, personal data, or task context long-term, creating privacy leakage and local data exposure risks if the host is shared or later compromised.

Ssd 3

Medium
Confidence
92% confidence
Finding
The document instructs persistent logging and federated sharing of message-derived data without any minimization rules, sensitivity classification, or restrictions on what may be stored. In context, this makes the memory system more dangerous because it is designed to absorb conversational content continuously, increasing the chance of capturing secrets, credentials, or personal data and distributing them onward.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.