Back to skill

Security audit

agentmemory-mcp

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate persistent-memory integration, but it automatically stores and transmits session context in ways that need careful review before use.

Install only if you intentionally want cross-session memory. Before enabling it, confirm where the memory service runs, whether embeddings send text to an external provider, how to disable capture, and how to delete stored entries. Do not import or store secrets, tokens, customer data, regulated information, or private conversations unless you have reviewed and redacted them first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The migration step instructs users to ingest `MEMORY.md` into a persistent memory service without warning that the file may contain secrets, credentials, internal URLs, personal data, or sensitive project history. Persisting that content expands retention and discoverability, increasing the chance of unintended disclosure across sessions or agents.

Missing User Warnings

High
Confidence
99% confidence
Finding
The vector-search setup recommends third-party embedding providers but does not warn that memory content submitted for embedding may be transmitted to external services. Because memory entries can include confidential project context or personal data, enabling embeddings can create an unannounced data exfiltration path to outside vendors.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide explicitly states that OpenClaw auto-captures conversation data into memory, but it does not pair that behavior with any notice, consent flow, retention guidance, or warning about sensitive data capture. In a persistent cross-session memory skill, silent collection of user or project content can expose private information, credentials, or regulated data beyond the current session.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The plugin automatically sends session-derived context (topic, project, recent tasks) to a local HTTP service before the agent starts, with no consent gate, disclosure, redaction, or scoping controls. Even though the default target is localhost, this still creates a privacy and data-governance risk because sensitive project or user information may be transmitted to another process unexpectedly, and the base URL is configurable.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The plugin persists summaries or the last message content plus metadata such as session ID and timestamp after each run, again without any user-facing warning or approval step. In a long-term memory integration skill, this is especially risky because the feature is designed to retain cross-session information, so accidental storage of secrets, internal discussions, or personal data is plausible and systematic.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.