Back to skill

Security audit

knowledge-vault

Security checks across malware telemetry and agentic risk

Overview

This memory skill is not shown to be malicious, but it stores and sends potentially private long-term memory through remote services with too little user control and disclosure.

Install only if you are comfortable with long-term memory being stored in TiDB and embedded through Gemini. Use dedicated, least-privilege database credentials, avoid storing highly sensitive personal or business data, check or remove ~/.openclaw_knowledge_vault_dsn if needed, and require explicit confirmation before auto-provisioning or saving memories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill declares required binaries and sensitive environment variables and describes local file caching and shell-based execution, but it does not declare explicit permissions for those capabilities. This weakens the trust boundary for the agent/operator because the skill can access secrets, read/write local files, and invoke external commands without a clear permission contract.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill silently provisions a remote TiDB instance, which exceeds what many users would reasonably expect from a local long-term memory component. This expands the attack surface and can cause unreviewed outbound network activity and storage of potentially sensitive memory data on third-party infrastructure.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The manifest frames the skill as TiDB-backed memory storage, but the implementation also sends all content and queries to Google's Gemini embedding API. This hidden dependency materially changes the trust boundary and can expose sensitive memory data to an undisclosed third party.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The code comment claims SSL hostname verification is enabled, but the pymysql connection does not configure SSL at all. If the DSN points to a remote host, credentials and stored memory content may be exposed to interception or man-in-the-middle attacks.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger condition is overly broad: 'when the user shares important context' or asks a question requiring recall can easily overlap with normal conversation. This can cause the agent to store or retrieve memory too eagerly, increasing the chance of persisting sensitive user data without clear consent and creating unintended data exposure through later recalls.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly supports storing long-term memory, including example personal preference and allergy data, and also states that connection details may be cached locally. Failing to warn users about sensitive-data retention and local secret caching can lead to unintended collection of personal data and exposure of database credentials on shared or compromised systems.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The skill consumes database credentials from environment variables and immediately uses them for remote access without clear disclosure to the user. In an agent setting, this can cause sensitive infrastructure credentials to be used implicitly and outside user expectations.

Missing User Warnings

High
Confidence
97% confidence
Finding
User-provided content and search queries are transmitted to an external embedding API, which may include sensitive long-term memory data. Because this transfer is not clearly disclosed or gated by consent, the skill can unintentionally exfiltrate private information to a third party.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill auto-provisions a remote TiDB instance with only a terse stderr message, so users may not realize new remote infrastructure is being created and used. This can expose stored memory to third-party hosting and create compliance, privacy, and cost risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The DSN is written to a file in the user's home directory and may contain plaintext database credentials. If file permissions are too broad or the host is shared, those credentials can be stolen and used to access or tamper with stored memory data.

Session Persistence

Medium
Category
Rogue Agent
Content
### 🔐 Security & Provisioning
This skill operates in two modes:
1.  **Bring Your Own Database (Recommended):** Set `TIDB_HOST`, `TIDB_USER`, `TIDB_PASSWORD` environment variables. The skill will use your existing database.
2.  **Auto-Provisioning (Fallback):** If no credentials are found, the skill calls the **TiDB Zero API** to create a temporary, ephemeral database for you. It caches the connection string locally (`~/.openclaw_knowledge_vault_dsn`) to persist memory across runs.

## Installation
Confidence
94% confidence
Finding
create a temporary, ephemeral database for you. It caches the connection string locally (`~/.openclaw_knowledge_vault_dsn

Unpinned Dependencies

Low
Category
Supply Chain
Content
pymysql
google-genai
Confidence
98% confidence
Finding
pymysql

Unpinned Dependencies

Low
Category
Supply Chain
Content
pymysql
google-genai
Confidence
94% confidence
Finding
google-genai

Known Vulnerable Dependency: pymysql — 1 advisory(ies): CVE-2024-36039 (PyMySQL SQL Injection vulnerability)

Critical
Category
Supply Chain
Confidence
99% confidence
Finding
pymysql

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal