MemOS Plugin One-Click Installer

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned, but it gives the agent broad automatic install, configuration, restart, remote-script, credential, and persistent-memory authority with too little user control.

Install only if you intentionally want an agent to modify your OpenClaw configuration, install packages, restart the gateway, and persist conversation history. Prefer the local embedding option, avoid pipe-to-shell installers unless you have independently verified the source, use environment-variable references instead of pasting API keys into config, and review the Memory Viewer and retention settings before using it with sensitive conversations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (15)

Description-Behavior Mismatch

Medium

Confidence: 85% confidence
Finding: The README makes strong claims such as '100% local/on-device' while also advertising optional external API providers and networked Hub–Client capabilities. This can mislead users into underestimating data egress and trust boundaries, which is a real security concern for memory software handling potentially sensitive conversations.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The privacy section says there is 'zero cloud upload' and that all data is stored locally, but the same document also mentions anonymous telemetry and optional networked features. Contradictory privacy assurances can cause unsafe deployment decisions, especially for users who rely on strict local-only guarantees for sensitive memory data.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill markets itself as fully local and private, yet elsewhere instructs the agent to fetch remote code and optionally configure external embedding/summarization APIs. This creates a misleading trust boundary: users may consent believing no external network exposure or third-party processing will occur when the workflow can in fact introduce both.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill explicitly authorizes downloading and executing remote scripts via curl-pipe-to-shell and irm-pipe-to-iex without review. This is dangerous because any compromise of the hosting site, network path, or script content results in arbitrary code execution on the user's machine under the agent's authority.

Context-Inappropriate Capability

Medium

Confidence: 79% confidence
Finding: The skill broadens from local-memory setup into collecting third-party API credentials and configuring external services. While this may be functional, it expands scope and introduces secret handling and external data-processing risks that are not inherent to a local memory installer.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The documentation says no data is sent to the cloud and everything happens locally, yet the skill also supports remote embedding and summarizer providers that necessarily transmit user content to external APIs. This contradiction can materially mislead users about privacy and compliance exposure.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad and overlap with normal support or conversational requests such as 'setup memory' or 'configure memory.' In an agent environment that auto-runs skills from natural language, ambiguous invocation can cause unintended installation, configuration changes, or follow-on privileged actions without a clearly intentional user request.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The README explicitly promotes autonomous installation, config modification, gateway restart, and fallback script execution with minimal user interaction. In the context of an agent skill, this normalizes high-impact system changes without prominent consent, review, or safety boundaries, increasing the chance of unauthorized or unsafe execution on the user's machine.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The manual install instructions recommend direct remote-script execution (`curl | bash` and `irm ... | iex`) without integrity verification or a safety warning. This is dangerous because any compromise of the CDN, DNS, TLS trust chain, or hosted script content can immediately lead to arbitrary code execution on the user's system.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The documented trigger phrase is broad enough to overlap with normal conversation, increasing the chance that an agent skill could activate installation behavior unintentionally. In an agent environment that performs autonomous system changes, accidental triggering can lead to unwanted package installation or configuration changes.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README describes fully autonomous installation, configuration writes, and gateway restart without clearly warning that these are system-modifying actions. In the context of an agent skill, this reduces informed consent and increases the risk of users authorizing disruptive or unsafe behavior without understanding the consequences.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The manual installation section recommends piping a remotely fetched script directly into a shell or PowerShell interpreter without any visible integrity or review step. This is dangerous because compromise of the hosting endpoint, CDN, DNS, or TLS trust chain would immediately translate into arbitrary code execution on the user's machine.

Missing User Warnings

High

Confidence: 94% confidence
Finding: The skill grants itself broad autonomous authority to run commands, modify configuration, and restart services without further approval, while the product also persists conversation content. This combination is dangerous because users may not fully appreciate that invoking setup authorizes both high-impact system changes and long-term storage of their interactions.

Ssd 3

High

Confidence: 97% confidence
Finding: The skill directs automatic capture of all user, assistant, and tool messages into persistent storage. This is dangerous because tool outputs and conversations often contain secrets, tokens, personal data, or operational details that may be retained indefinitely and later surfaced to other agents or sessions.

Ssd 3

High

Confidence: 96% confidence
Finding: The skill instructs the agent to ask for API keys and then write them into openclaw.json. Storing credentials in plaintext configuration increases the risk of accidental disclosure through logs, backups, filesystem access, later memory capture, or other local tooling.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal