Evomemory Core

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local memory plugin, but it needs review because it creates persistent agent memory and can overwrite existing OpenClaw configuration without clear user control.

Review before installing. Back up ~/.openclaw/config/chromadb_config.yaml first, use the local backend unless you intentionally run a remote ChromaDB server, avoid storing secrets in persistent agent memory, and treat failed LanceDB migrations as potentially partial rather than automatically rolled back.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The module docstring promises "100% data consistency guaranteed, rollback supported," but the implementation only compares record counts and has no rollback logic. This can mislead operators into trusting the migration during failures or partial writes, increasing the chance of silent data loss, duplication, or corruption being accepted as successful.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal