Personify Memory

Security checks across malware telemetry and agentic risk

Overview

This memory skill is purpose-aligned overall, but it asks for broad access to raw conversation logs, long-term storage, scheduled execution, external model calls, and destructive cleanup behavior that users should review before installing.

Install only if you are comfortable giving this skill access to raw OpenClaw conversation logs and configuring scheduled jobs that persist, summarize, archive, and sometimes prune session history. Before enabling cron, review the paths, disable or scope external LLM validation if needed, use dedicated least-privilege API credentials, back up session logs, and confirm the retention/deletion behavior matches your expectations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (64)

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The documentation claims the skill can set cron reminders for remembered items, expanding it from passive memory storage into active task scheduling. That functional expansion can create unreviewed actions in the host environment and may cause unintended automated execution beyond user expectations.

Intent-Code Divergence

Medium

Confidence: 81% confidence
Finding: The documentation gives conflicting statements about whether daily memory is deleted after 30 days or preserved via archiving. Contradictory retention rules are dangerous because operators cannot accurately assess privacy impact, and implementations may accidentally retain sensitive data much longer than intended.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The design explicitly grants the skill access to raw OpenClaw session logs under /root/.openclaw/agents/main/sessions, which is broader than a memory skill needs to fulfill user-directed memory capture. This expands the data boundary from curated memory artifacts to full conversational history, increasing exposure of unrelated, sensitive, or transient user content.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The monthly cleanup workflow is designed to overwrite or delete portions of original session logs, creating a destructive capability unrelated to simple memory recording. A memory skill should not mutate primary session history because that can destroy audit trails, remove forensic evidence, and cause irreversible data loss if logic is wrong or abused.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The implementation plan centers on full-session backup, incremental extraction, and retention management rather than narrowly capturing user-intended memories. That scope creep materially increases the amount of personal data handled and makes the skill operate like a session-harvesting subsystem instead of a focused memory feature.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The proposed script reads raw session logs from a global OpenClaw session directory and then persists selected content into the memory store. That bypasses any explicit user-scoped memory boundary and can capture unrelated, sensitive, or unintended conversation data from the broader agent environment.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The document proposes changing cron from a passive systemEvent into an agentTurn that instructs the agent to execute shell-level Node.js scripts. That meaningfully expands the skill from memory management into scheduled code execution, creating a path for unattended local command execution if the agent has tool or shell access. In the context of a memory skill, this capability increase is not clearly bounded or justified, so it should be treated as a real security concern.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The proposed payload tells the agent to run local scripts by absolute path under /root, which is especially sensitive because it implies privileged filesystem context and couples cron to direct command execution. If an attacker can modify the script, path, or prompting context, this becomes an unattended execution primitive with potential access to backups, archives, and other local data. For an emotion/memory skill, direct absolute-path execution is overpowered and increases blast radius.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The design adds an external semantic-analysis/model call path that is not clearly disclosed by the skill’s stated memory-focused behavior. That creates an undeclared data flow for user content and increases privacy and trust risk, especially because the feature is proposed for routine conversational use rather than a narrowly scoped, opt-in action.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The proposed prompt construction embeds full user messages directly into a semantic-analysis request, which can expose sensitive personal, family, emotional, and preference data to another model or service. In a memory skill, those messages are especially likely to contain intimate long-term-profile information, making overcollection and downstream disclosure more harmful.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script derives `memoryFile` as `path.join(basePath, '..', 'MEMORY.md')`, which expands its write scope outside the declared memory store directory. That creates an unnecessary cross-boundary write capability for a maintenance task, increasing the risk of unintended modification of higher-level files if the script is run with elevated privileges or against an unexpected base path.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Appending extracted 'important decisions' into a parent-directory `MEMORY.md` gives this daily review job a broader write capability than its stated purpose requires. Because the content is derived from parsed conversation logs, this can lead to prompt/content injection into a higher-trust file and unauthorized persistence of user-controlled text outside the normal storage layer.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script sends extracted conversation-derived memory content to an external LLM service for semantic validation, but this outbound data flow is not disclosed in the skill description. Because the stored data includes user/assistant dialogue and emotional or personal memories, this creates a real privacy and data-exfiltration risk, especially if users expect all memory processing to remain local.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The code reads API credentials from environment variables and a separate OpenClaw config file, extending its access beyond the immediate memory data it manages. While likely intended for convenience, this undisclosed credential and config access increases the trust boundary and can expose unrelated secrets or couple the skill to external accounts without clear user consent.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The CLI advertises a safe 'test' mode, but it invokes the same runDailyBackup() path as 'run', which still copies files, overwrites backup contents, updates state, and deletes old backups. This is dangerous because operators may rely on test mode for non-destructive validation and unintentionally cause data loss or state corruption in a sensitive memory/backup system.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: Core-memory writes target `path.join(this.basePath, '..', 'MEMORY.md')`, which escapes the skill's main storage directory and modifies a parent-level file. That broadens the write scope beyond the expected memory sandbox and can overwrite or inject persistent content into a more sensitive shared state file if this component is invoked with untrusted content.

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The CLI advertises 'test' mode as non-destructive, but it invokes the same full workflow as 'run', including cleanup that rewrites or empties session files. This mismatch can cause operators to unintentionally destroy retained session history while believing they are performing a safe dry run.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly promotes storing emotional exchanges, family information, preferences, and other long-lived personal memory, but it does not warn users about privacy risks, consent requirements, retention scope, or how sensitive data is protected. In a memory skill for an AI assistant, this omission is dangerous because users may disclose highly sensitive personal data under the impression that the feature is harmless or ephemeral, while the documentation emphasizes permanence and emotional intimacy.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation states that memories are automatically archived daily and that daily memories are archived and never deleted, but it does not provide a clear warning that retention is ongoing and potentially indefinite. This increases risk because sensitive conversations, preferences, and family details may persist far longer than users expect, expanding exposure in the event of unauthorized access, misuse, or secondary processing.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The release notes advertise automatic session saving and archiving, while elsewhere noting external semantic analysis, but they do not clearly disclose the privacy implications of storing conversation history or potentially sending content to a third party. In a memory system centered on emotional and personal conversations, this omission is security-relevant because users may reasonably assume sensitive content remains local or is handled with stronger notice and consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill specifies automatic backup, review, archiving, and deletion of conversation data without a clear privacy notice or informed-consent flow. Because the stored data includes personal, family, and emotional content, automatic processing materially increases confidentiality risk and could violate user expectations or policy requirements.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The proposed change explicitly stores complete conversation transcripts and context in persistent memory structures, which can capture sensitive personal data far beyond what is needed for the feature. In a memory system designed for emotional and family content, this materially increases privacy, retention, and secondary disclosure risk if logs, memory files, or downstream prompts are exposed.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The update steps write full dialogue content and surrounding context into emotion, knowledge, and core memory files without any privacy warning, consent boundary, or minimization control. Because these are persistent memory files, the risk is not just collection but long-term reuse and leakage of intimate or sensitive conversations across future system behavior.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The document describes automatic copying, long-term storage, and deletion of conversation data without any user-facing notice, consent model, or retention disclosure. Silent retention changes are dangerous because users may share sensitive information without realizing it will be archived daily and preserved monthly.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The design describes automatic persistence of daily conversation history without any user-facing notice, consent flow, retention policy, or privacy controls. In a memory skill centered on personal and emotional content, silent long-term capture materially increases privacy risk and the chance of storing sensitive data users did not intend to retain.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal