Security audit

Mempalace Memory

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local memory skill, but it needs Review because it can persist, mine, inject, and delete memory with weak scoping and misleading credential-handling text.

Install only if you are comfortable with this skill building persistent local memories from your workspace and injecting recalled content into agent prompts. Verify the missing hook handler and hard-coded paths before use, limit mining to directories you explicitly approve, avoid storing secrets, and back up memory stores before running bridge or forget commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The code comments and structure imply credential filtering, but store() persists content verbatim unless it matches a narrow blocklist. As a result, sensitive secrets that are not detected by has_plaintext_credential() can be embedded and stored in ChromaDB, creating unintended retention and exposure of credentials.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: When plaintext credentials are detected, the returned hint claims they are encrypted and stored at ~/.openclaw/.credentials, but this code performs neither encryption nor storage there. That misleading assurance can cause users or calling agents to assume secrets are safely handled when they may instead remain exposed elsewhere or simply be dropped without secure processing.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documentation exposes a destructive `forget <memory_id>` command as a normal CLI operation without any warning about irreversible data loss, confirmation requirements, or access restrictions. In an agent setting, documenting deletion paths without safety guidance increases the chance that a user or downstream automation invokes memory deletion unintentionally or without adequate validation.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The forget command performs irreversible deletion across all ChromaDB collections with no confirmation, authorization check, or dry-run mode. In an agent or CLI context, accidental invocation, prompt-induced misuse, or malicious chaining could delete memory records and cause integrity/availability loss.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The function transmits arbitrary query/content text to an HTTP embedding service without user-facing disclosure or consent controls. Because this tool handles memory content that may include sensitive project data, this implicit data flow increases privacy and secret-exposure risk even if the endpoint is configured as localhost.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The mine command launches filesystem mining over a user-specified or default workspace path with no confirmation, warning, or scope restriction. In a memory-ingestion tool, that behavior can lead to over-collection of sensitive local files and subsequent indexing into shared storage, which is a meaningful privacy/security risk in context.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal