Security audit

OpenClaw Dream

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed OpenClaw memory-cleanup skill, but it can change persistent agent memory and should be used with review before enabling automation.

Before installing, understand that this skill can rewrite MEMORY.md and affect future agent behavior. Run it manually first, review the generated dream log and file diffs, back up important memory files, and only enable cron after deciding whether daily notes should remain append-only.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The skill contains contradictory instructions: earlier phases say old daily notes may be edited to absolutize dates or mark superseded entries, while the safety rules say daily note files must never be modified. This inconsistency is dangerous because an agent may choose the more destructive interpretation and silently rewrite historical notes, undermining auditability and user trust.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The manual trigger phrase "dream" is a common natural-language word and can easily appear in ordinary conversation, creative writing, or unrelated user requests. In an agent skill that performs file-modifying memory consolidation, this increases the chance of accidental invocation and unintended edits to MEMORY.md or related maintenance actions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill is explicitly designed to run automatically via cron/heartbeat and to rewrite memory artifacts, but the description does not clearly warn users that unattended execution will modify files. Automatic background modification of user-maintained memory can cause unexpected data changes, loss of provenance, and difficult-to-review edits if enabled without informed consent.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The cron/heartbeat guidance encourages unattended periodic writes to MEMORY.md, dream logs, and timestamp files without a strong safety gate, confirmation flow, or prominent user warning. In context, the skill operates on persistent user data, so automatic execution increases the risk of silent corruption, over-aggressive consolidation, or repeated undesirable edits.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The design specifies broad natural-language manual triggers such as 'dream', 'clean up memory', and similar phrases that can plausibly appear in ordinary conversation. In an agent environment, this can cause unintended invocation of a destructive maintenance workflow, especially because the workflow is designed to rewrite and delete memory content automatically.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The design explicitly includes automatic rewriting, merging, downgrading, and deletion of memory entries, but does not require a user-facing warning, approval gate, or default dry-run before modifying persistent state. Because memory influences future agent behavior, unintended or overaggressive consolidation can silently remove important safety, preference, or operational context and create hard-to-audit integrity loss.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.