Security audit

living-agent

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent with its autonomous-agent purpose, but it needs Review because it can run persistently, read prior conversations, store inferred user information, change cron jobs, search externally, and message users with weak consent and retention boundaries.

Install only if you intentionally want an autonomous background agent. Before enabling it, review each cron job, disable or remove Telegram/message behavior unless you explicitly want it, limit searchable topics and readable files, and regularly inspect or delete ~/.openclaw/workspace/thinking-state.json, thinking-queue.json, and memory/thoughts. This does not look malware-like, but it asks for unusually broad ongoing authority.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (22)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The payload explicitly instructs the agent to retrieve up to 50 recent conversations and mine them for topics, notable statements, unfinished threads, and user emotions for later reflective use. This is a real privacy and scope-expansion issue because the capability goes beyond ephemeral task execution and enables broad retrospective analysis of user data without clear necessity, minimization, or user consent.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The payload instructs the agent to inspect session history, infer user inactivity, and then proactively enter an autonomous mode that may culminate in contacting the user. That creates surveillance-like behavior and unsolicited outreach beyond a normal user-initiated interaction model, which is risky because it can violate user expectations, privacy boundaries, and consent requirements.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill expands from internal reflection into external information gathering and user reporting, which materially broadens its capabilities and attack surface. This matters because autonomous web searching and reporting can introduce unvetted data, generate misleading outputs, and cause actions the user did not explicitly request from the described skill purpose.

Description-Behavior Mismatch

Low

Confidence: 84% confidence
Finding: The instructions direct persistent writes under memory/, creating durable state and knowledge-management behavior that may outlive the immediate task. Even if intended to improve continuity, silent persistence can store sensitive or incorrect information without user awareness or controls.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The file first says not to disturb the user when they recently spoke, but later makes reporting mandatory and non-silent. This contradiction is dangerous because it undermines predictable safety behavior, making it more likely the agent will choose the more invasive interpretation and contact the user despite an earlier instruction not to.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The micro-heartbeat mechanism is framed as lightweight reflection, but the instructions expand it into broad scanning of local memory, recent files, exploration results, and conversation history to generate new topics autonomously. That creates scope creep from internal maintenance into background surveillance-like behavior and can lead to collection, synthesis, and use of user-related information without a clear task-specific trigger or consent.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The payload explicitly instructs the agent to review recent conversation history to find topics that were mentioned but not explored, which is not necessary for a simple heartbeat/reflection workflow. This broadens access to prior user-provided content and creates a path for secondary use of conversational data outside the user's immediate request.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Allowing the agent to proactively message the user when it decides it has an 'important finding' turns a silent background reflection process into unsolicited outreach. This can surface inferred or historical information unexpectedly, surprise users, and create a channel for spammy or privacy-invasive contact not tied to an active user request.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README advertises autonomous background behaviors such as automatic thinking, periodic reflection, and self-initiated exploration, but it does not clearly warn users that the skill will continue acting outside direct prompts or may monitor user presence/state. In an agent context, undisclosed background activity materially changes the trust and consent model, especially when actions are recurring and user-trigger independent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The installation steps instruct users to copy files into a persistent workspace, create memory directories, modify payload files with a Telegram ID, and set up cron jobs, but do not prominently warn that these steps create durable system changes and recurring execution. This is dangerous because users may install the skill without understanding that it will persist, store state, and run on a schedule outside normal interactive sessions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to record conversation-derived thoughts into persistent files under memory/thoughts, but the documentation does not clearly warn users that their content may be stored long-term. This creates a privacy and consent risk because users may reasonably assume casual chat content is ephemeral when the skill is designed to persist and accumulate it.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill schedules autonomous background thinking and exploration when the user is idle, including generating reports and writing to memory, yet it does not provide a clear warning that these actions continue while the user is away. That can surprise users, consume resources, and perform unreviewed state changes outside an active session.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The instructions tell the agent to append reflective content into persistent memory/thoughts files and add new items to thinking-queue.json, but provide no user-facing notice that personal inferences and conversation-derived material will be stored. This creates a meaningful transparency and consent failure, and can lead to silent retention of sensitive personal data or inferred attributes over time.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill directs the agent to access recent conversation history for reflective processing without warning the user that their prior chats may be re-read and analyzed outside the immediate interaction. Even if intended for continuity, this undisclosed secondary use of conversation data increases privacy risk and can violate user expectations around contextual boundaries.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs writes to memory files without any user-facing warning that stored data will be modified. Undisclosed persistent modification is risky because it can create privacy issues, corrupt long-term memory, or preserve inaccurate inferences that affect future behavior.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill directs outbound messaging over external channels without a privacy or consent warning, and even includes a placeholder for a user identifier. This is dangerous because it enables unsolicited cross-channel contact and possible leakage of inferred or searched information outside the current session context.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The instructions direct the agent to append content to a memory file and later update queue state and scheduling silently, without notifying the user or obtaining approval. Silent persistence and state mutation in background workflows reduce user visibility and can enable accumulation of sensitive inferences or unwanted behavioral changes over time.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The payload combines access to recent conversation history with local memory and thought files but provides no privacy warning, data-minimization rule, or consent boundary. That makes it easy for the agent to repurpose prior user data and internal notes in ways the user may not reasonably expect from a heartbeat mechanism.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The payload instructs the agent to read a local state file and silently modify cron jobs that control autonomous behavior, without requiring explicit user consent or a visible warning. This creates a persistence and covert state-manipulation mechanism: the agent can enable background activity based on inferred inactivity, which is risky because it alters system behavior outside the user’s immediate awareness.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The WAL protocol tells the agent to scan every message and persist broad categories of user information—including names, preferences, decisions, numbers, dates, IDs, URLs, and interesting questions—into long-lived state files before responding. This is dangerous because it normalizes indiscriminate retention of potentially sensitive data with no minimization, consent, retention limit, or sensitivity filtering.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The payload instructs the agent to extract notable user statements, unfinished topics, and emotional signals from recent chats and record them into memory files. This is dangerous because it operationalizes long-term natural-language profiling and retention of potentially sensitive personal information, increasing the chance of privacy leakage, over-collection, and unintended future disclosure through memory reuse.

Ssd 3

Medium

Confidence: 96% confidence
Finding: Mining recent conversation history for latent topics and then potentially messaging the user about derived findings creates a natural-language exfiltration path for prior user content beyond the immediate task. In this skill context, the danger is elevated because the behavior runs as a recurring background heartbeat, increasing the chance of repeated resurfacing of sensitive information without a fresh user request.

VirusTotal

34/34 vendors flagged this skill as clean.

View on VirusTotal