ClawHub
Back to skill

Security audit

OpenClaw Obsidian Memory

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it can make persistent changes to agent memory/configuration and set up unattended archival without enough review controls.

Install only if you intentionally want persistent local memory. Before using it, back up AGENTS.md and MEMORY.md, review any generated patches before applying them, avoid storing secrets or sensitive conversations in the Vault, choose the cron timezone yourself, and enable archival jobs only if you know how to inspect and remove the stored notes and scheduled tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs use of environment-derived paths like $HOME and %USERPROFILE% and relies on shell/Node execution semantics, but it declares no permissions or capability boundaries. That creates a transparency and consent problem: the agent may access local environment context and filesystem locations without an explicit permission model.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The document promises broad autonomous setup, memory integration, file modification, and scheduled archival, but the described assets only mention read-only helper scripts and no real implementation of the claimed orchestration. This mismatch is dangerous because it can cause an agent to fabricate or improvise high-risk actions—editing AGENTS.md, MEMORY.md, and scheduling jobs—without a trustworthy implemented mechanism or constrained workflow.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to append or replace sections in AGENTS.md and rewrite MEMORY.md, which are core agent control and memory files outside the Obsidian setup scope. Modifying these files can alter future agent behavior, persistence, and trust boundaries, effectively turning a note-taking skill into a self-modifying configuration mechanism.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill directs extraction of content from unrelated local files such as AGENTS.md, USER.md, SOUL.md, and MEMORY.md to populate notes. This broad local data harvesting can expose sensitive preferences, policies, or internal metadata and persist them into a secondary repository without clear necessity or minimization.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger list includes broad everyday terms like obsidian, vault, knowledge base, and knowledge management, making accidental activation more likely. In this skill, mis-triggering is especially risky because activation is tied to automatic local file writes, config edits, and persistence behavior rather than a harmless read-only action.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The language says the user only needs to say a short phrase and the AI will automatically complete all configuration, but it does not define clear boundaries or staged consent. That encourages overbroad autonomous behavior and could lead the agent to create directories, copy scripts, edit files, and schedule tasks from a vague request.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes automatic creation and modification of local files and persistence of user data but does not present a clear upfront risk notice. Users may not realize that enabling the skill can alter local state, archive conversations, and create durable records beyond the immediate session.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions require appending or replacing AGENTS.md rules without a strong warning, review step, or backup procedure. Because AGENTS.md can influence future agent behavior, an opaque change here is more dangerous than a normal note edit and can persistently alter how the agent handles memory and retrieval.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill tells the agent to 'simplify' MEMORY.md by replacing it with a short index, which can overwrite existing content and destroy historical memory or operational notes. This is a direct integrity risk and may also impair future agent behavior if MEMORY.md contains important instructions or state.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The cron configuration hard-codes the Asia/Shanghai timezone without user choice or validation. While not a severe security flaw by itself, it can cause scheduled tasks to run at unintended times, increasing the chance of unexpected background processing and retention operations.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to extract user preferences, system configuration, installed skills, and known issues from local files into persistent notes by default. This broad default retention copies potentially sensitive personal and operational data into a long-lived knowledge base, expanding exposure and making later unintended disclosure more likely.

Ssd 3

Medium
Confidence
95% confidence
Finding
The memory rules direct automatic dual-writing of task results and important conversation summaries into both Vault and local memory. This creates broad, default persistence of user interactions and duplicates data across stores, increasing retention scope, searchability, and the blast radius of any later compromise or mistaken disclosure.

Ssd 3

Medium
Confidence
95% confidence
Finding
The daily and weekly archive tasks instruct the agent to summarize prior conversations and merge them into permanent notes over time. This compounds retention and inference risk, because repeated archival can turn ephemeral chats into enduring profiles, project histories, and preference records without ongoing user review.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.