Security audit

Lingxi-MindVault - Auto Memory Extraction for OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about being a Feishu memory extractor, but it needs Review because it can repeatedly read private OpenClaw chat logs and store extracted content in Feishu.

Install only if you intentionally want automated background extraction from OpenClaw chats into Feishu. Use Feishu resources you control, verify every environment variable, protect workspace/.env, review the cron entries, and avoid using it on chats containing secrets or regulated data. Static scan was clean and VirusTotal was pending; this Review verdict is based on broad persistent handling of private chat history, not malware evidence.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The documentation is internally inconsistent about whether missing environment variables cause immediate failure or whether defaults will be used. For a skill that reads private session files and writes to external knowledge bases, this ambiguity can cause users to run it under unintended destinations or trust incorrect safety assumptions.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The skill claims there is no hardcoded sensitive configuration, yet later states that a default configuration exists for the author's memory space. In a tool that exports conversation-derived data to Feishu, hidden defaults could route user data into resources not controlled by the user, creating a serious confidentiality risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script sends session-derived identifiers to a Feishu target via `openclaw message send` without any explicit consent, warning, or minimization. Even if only a session ID is transmitted, that is still conversation metadata and can reveal the existence and processing state of user sessions to an external messaging endpoint.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill explicitly authorizes broad collection of all unextracted conversation files, transmission of full contents to an AI agent, and onward storage in Feishu. Even if this is the intended feature, it materially increases exposure of sensitive chat data to additional processing and external storage, so it is a real privacy/security risk that must be treated as such.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The workflow states that session files are read in full with no line limit and then sent for AI extraction. Full-content ingestion amplifies the risk of exposing credentials, personal data, proprietary material, or unrelated sensitive context present anywhere in the session logs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.