Continuous Learning

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed continuous-memory skill, but it needs Review because it can keep broad long-term chat memory, run scheduled background jobs, send memory contents to MiniMax, and update core agent files without strong consent or review controls.

Install only if you intentionally want an agent to maintain long-term memory and run daily learning jobs. Before enabling it, review the MemPalace database contents, avoid storing secrets or regulated data, keep MiniMax and WeChat notifications disabled unless you accept those data flows, back up core agent documents, and regularly inspect or remove the scheduled tasks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (23)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def get_existing_windows_tasks(): """获取Windows现有任务""" try: result = subprocess.run( ['schtasks', '/query', '/fo', 'LIST', '/v'], capture_output=True, text=True,
Confidence: 93% confidence
Finding: result = subprocess.run( ['schtasks', '/query', '/fo', 'LIST', '/v'], capture_output=True, text=True, shell=True )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 删除旧任务 for task_name in ['OpenClaw-ContinuousSync', 'OpenClaw-ContinuousDream']: try: subprocess.run( ['schtasks', '/delete', '/tn', task_name, '/f'], capture_output=True, shell=True
Confidence: 94% confidence
Finding: subprocess.run( ['schtasks', '/delete', '/tn', task_name, '/f'], capture_output=True, shell=True )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: success = True for task in tasks: try: result = subprocess.run( [ 'schtasks', '/create', '/tn', task['name'],
Confidence: 97% confidence
Finding: result = subprocess.run( [ 'schtasks', '/create', '/tn', task['name'], '/tr', f'python "{task["script"]}"',

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill documents capabilities to read and write files, invoke shell commands, access the network, and install scheduled tasks, but does not declare corresponding permissions or present a clear consent model. This creates a transparency and trust problem: a user or host may enable the skill without understanding that it can persist data, transmit it externally, and modify the local environment.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The skill is presented as a learning and memory-management workflow, but the documented behavior also includes persistence installation, external data transmission to MiniMax, notification queuing, and broad local file initialization. That mismatch is dangerous because users may approve it for benign memory features without realizing it modifies system scheduling and exports stored conversation-derived data to third parties.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The code sends full MemPalace diary entries and metadata to an external MiniMax endpoint for analysis. Because the data includes diary content, user preferences, project background, and long-term memory, this creates a real confidentiality risk and expands trust to a third-party service without visible minimization or consent enforcement.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly promotes automatic daily archiving, semantic memory storage, and cross-session context retention, but it does not present clear consent, retention, or data-handling safeguards. This creates a privacy risk because user conversations may be persistently stored and processed without informed approval or clear boundaries.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documented overnight analysis and WeChat notification flow implies user conversation content may be sent to external analysis services and notification channels without a prominent warning. This is dangerous because sensitive chat data could be exposed to third parties or surfaced in notifications outside the original interaction context.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrases are broad everyday concepts like '持续学习' and '自我改进', which could activate the skill during ordinary conversation rather than deliberate invocation. In this skill's context, accidental activation matters because the documented behavior includes persistent storage, document updates, and scheduled/background operations.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill explicitly describes automatic recording of conversations, long-term retention, and notification behavior, but does not present a strong privacy warning, retention policy, or explicit consent flow. Because conversation summaries, user preferences, and project context are stored and later processed, users may unknowingly expose sensitive personal or business data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Sensitive diary contents and metadata are transmitted to an external API without any user-facing warning, consent flow, or in-code disclosure of the privacy implications. In a continuous-learning skill, this is especially dangerous because the collected material is likely to contain highly sensitive long-term behavioral and personal context.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill advertises automatic long-term collection of daily conversations and semantic memory storage in plain language, indicating persistent retention of potentially sensitive user content. Without clear limits, minimization, or consent, this creates a real risk of privacy harm and unintended disclosure.

Ssd 3

High

Confidence: 98% confidence
Finding: The workflow describes automatic syncing of chats, summarization, extraction into documents, and WeChat notification, which forms a clear end-to-end leakage path for conversation content. In this skill context, the feature is central to operation, making the risk more dangerous because the behavior is automated, scheduled, and likely to occur without per-event review.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The example encourages permanently storing a user's stated preference and reusing it across future conversations, which is session-persistent profiling. Although intended as a convenience feature, it is risky because preferences can become sensitive personal data and may be reused outside the user's expectations.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to automatically retain and summarize conversation data into long-term memory and documents. Persistent storage of conversation-derived content increases the blast radius of any compromise, misclassification, or unauthorized access, especially when the memory may contain sensitive user, project, or operational details.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The documented memory schema includes user preferences, project background, important decisions, and error lessons for persistent storage. This is sensitive operational and personal context that could be misused or leaked, and the skill does not describe access controls, retention boundaries, or secret filtering.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The dream-analysis workflow reads all stored memory fragments and extracts them into central documents such as user background, preferences, and workflow rules. Concentrating all historical context into a few core files materially increases sensitivity and makes exfiltration, poisoning, or accidental disclosure more damaging.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill instructs the agent to record each conversation, sync chats into persistent memory, and send notifications containing summaries, which creates a clear path for sensitive user data to be retained and propagated beyond the immediate session. This increases the risk of privacy violations, unauthorized disclosure through notifications or downstream systems, and over-collection of data without clear consent, minimization, or retention controls.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The prompt instructs the model to ingest all diary fragments and synthesize persistent updates into files such as SOUL, MEMORY, and AGENTS. This creates a durable privacy and integrity risk: sensitive or manipulated diary content can be propagated into long-lived control and memory documents, potentially poisoning future agent behavior.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The script creates dated files under a memory directory specifically intended to store daily conversation records, which supports persistent retention of user interactions. In a 'continuous-learning' and 'memory management' skill, this increases privacy risk because sensitive prompts, credentials, personal data, or proprietary information may be written to disk without explicit consent, retention limits, or access controls.

External Transmission

Medium

Category: Data Exfiltration
Content: "analysis_model": { "provider": "minimax", "model": "MiniMax-M2.7", "api_url": "https://api.minimax.chat/v1", "api_key": "your_api_key_here" } }
Confidence: 93% confidence
Finding: https://api.minimax.chat/

Session Persistence

Medium

Category: Rogue Agent
Content: **Linux**： ```bash crontab -l | grep openclaw ``` ### 问题2：MemPalace写入失败
Confidence: 84% confidence
Finding: crontab -l

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High

Category: Supply Chain
Confidence: 95% confidence
Finding: requests

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal