BrainX V5 — The First Brain for OpenClaw

Security checks across malware telemetry and agentic risk

Overview

BrainX is a real memory skill, but it needs Review because it automatically persists and injects shared agent context while modifying prompt-visible workspace files and handling sensitive data with loose boundaries.

Install only if you want a shared, persistent agent memory layer and are comfortable with conversation/workspace content being stored in PostgreSQL, sent to OpenAI for embeddings, and injected into future prompts. Before enabling it, disable or review any automatic rule-promotion pipeline, restrict which workspaces and agents can contribute or receive memories, avoid storing secrets, encrypt backups, and verify exactly which hooks or cron jobs are active.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (41)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill declares no permissions despite clearly requiring environment access and network access for DATABASE_URL and OPENAI embeddings. This creates a transparency and consent problem: operators may install it without understanding that it can read secrets and send data off-host. In a memory system that stores conversation-derived data and injects it into prompts, undeclared capabilities increase the risk of unreviewed data exposure.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented behavior materially exceeds the stated purpose: besides memory storage/search/injection, it performs advisory checks, telemetry, diagnostics, auto-repair, lifecycle management, and automatic workspace modification. This mismatch prevents informed risk assessment and can hide impactful behaviors such as writing rules into workspace files, retaining broader session data, and running maintenance actions with side effects. For security-sensitive agent skills, understatement of scope is itself dangerous because operators may grant trust based on an incomplete description.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The README explicitly states that the system can automatically promote learned patterns into AGENTS.md, TOOLS.md, and SOUL.md without human intervention. For a memory engine, autonomous mutation of agent instruction files materially expands control from storage/retrieval into behavioral persistence, creating a path for prompt-derived content to become durable agent policy.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: This section documents a pipeline that detects recurring conversational patterns, distills them with an LLM, and writes them into persistent startup-read files. That is a true security concern because untrusted or poisoned session content can be transformed into future agent instructions, effectively turning memory ingestion into self-modifying prompt infrastructure.

Context-Inappropriate Capability

Medium

Confidence: 78% confidence
Finding: The backup and recovery scope includes hooks, configs, and workspaces in addition to the memory database. That broader reach increases blast radius because a memory component now touches operational code and agent execution surfaces, making accidental restoration or propagation of unsafe state more likely.

Intent-Code Divergence

Medium

Confidence: 73% confidence
Finding: The documentation presents inconsistent boundaries: one component is described as suggestion-only while the broader system automatically applies those suggestions into workspace files. This ambiguity is dangerous because operators may underestimate that the end-to-end pipeline results in unattended rule writes, weakening informed consent and review.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The documentation says the skill is a memory engine, but it also automatically promotes patterns into workspace files and modifies documentation/rule files. Automatic writes to instruction-bearing files can alter future agent behavior, propagate bad guidance, and create a persistence mechanism beyond the database. In an agent environment, self-modifying prompts/rules are significantly more dangerous than passive memory storage.

Intent-Code Divergence

Medium

Confidence: 80% confidence
Finding: The skill claims data only leaves the system for embeddings, yet its own documentation shows broader handling of environment/configuration material during backup and restore processes. Even if backup is local by default, understating the scope of sensitive material handled by the skill can lead to insecure storage, transfer, or restoration of secrets and workspace data. In practice, users may move archives off-host, turning an opaque backup feature into a secret-sprawl risk.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The opening comment explicitly states the code was separated to avoid static-analysis flags, which is a strong indicator of security-tool evasion rather than legitimate design intent. Even though this file still accesses an API key and transmits user-provided text to an external service, the concerning issue is the apparent attempt to disguise a sensitive data-flow pattern from reviewers and scanners.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The README says the system captures full session transcripts and extracts personal, technical, and financial data automatically, yet it does not foreground a strong privacy warning or consent model. This creates a real risk of over-collection and unexpected processing/sharing of sensitive data from user conversations.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The auto-promotion section describes direct writes into core workspace rule files without a clear warning that this occurs automatically and without human review. That omission is security-relevant because users may enable a memory feature without realizing it can permanently alter agent behavior.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The guide recommends syncing backups to cloud storage, while the documented backup contents explicitly include a PostgreSQL dump and `openclaw.env` with secrets. Encouraging off-host synchronization of such archives without requiring encryption, access controls, or secret scrubbing materially increases the chance of credential and data exposure.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill describes automatic writes to BRAINX_CONTEXT.md and MEMORY.md plus broad backup/restore behavior without prominent warnings about system and data impact. These side effects can overwrite or influence workspace state, persist conversation-derived content, and capture more data than users expect. Lack of explicit warning and consent is especially risky because the hook runs automatically at agent bootstrap.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The architecture explicitly describes formatting retrieved memories for direct prompt injection, but provides no warning or control boundary around untrusted memory content. In a memory system that stores arbitrary prior content and reinserts it into later prompts, this creates a realistic prompt-injection and context-poisoning path where stored instructions or attacker-controlled text can steer downstream LLM behavior.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The CLI documentation instructs users to submit arbitrary memory content and notes use of OpenAI embeddings, but it does not clearly warn that supplied text may be stored in PostgreSQL, embedded, and transmitted to an external API provider. In a memory system designed to ingest contextual data for later prompt injection, this omission increases the chance that users will submit secrets, regulated data, or sensitive operational content under a false assumption of local-only handling.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The rollback section instructs operators to run a full restore command against production data but does not explicitly warn that this can overwrite or destroy the current database state. In a production runbook for a memory system storing contextual and potentially sensitive data, omission of a clear destructive-operation warning increases the chance of accidental data loss during incident response or rollback.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation explicitly describes automatic capture of conversations and workspace files, persistent storage, and cross-session/context injection across agents, but it does not mention consent, scope limits, retention, or privacy warnings. In a memory system for agents, this increases the chance that sensitive prompts, secrets, internal data, or personal information are silently collected and reused beyond the original context.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The pipeline sends captured text to OpenAI for embeddings, but the documentation does not clearly warn that user/system/workspace content may be transmitted to an external third party. Given this skill's purpose—automatically ingesting conversations, logs, and markdown—this omission is dangerous because confidential data could leave the local environment unexpectedly.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The bootstrap flow documents automatic creation of BRAINX_CONTEXT.md and modification of MEMORY.md in the agent workspace without warning users that local files will be written or altered. Silent workspace mutation can overwrite expected state, leak memory contents into checked-in files, or surprise operators who assume the skill is read-only.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document recommends propagating BrainX memory by writing summaries into TOOLS.md, a bootstrap file automatically injected into sub-agents. That can silently expose recalled memory content to additional agent contexts and modifies a core workspace prompt file without explicit consent, scoping, or redaction guidance. In a memory system, this increases the chance of over-sharing sensitive context across agent boundaries.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The hook documentation explicitly describes automatic reads from a database, writes to workspace files, and telemetry logging on every agent bootstrap, but it does not present clear consent, scoping, or warning about data modification and persistence. In this skill context, that is security-relevant because the hook alters prompt-bearing files and records activity automatically, which can affect agent behavior and leak or retain sensitive context without the operator fully realizing it.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: Several profiles define broad context sets while leaving excludeTypes empty, which makes memory injection or profile activation boundaries loose and harder to reason about. In a vector-memory skill that injects contextual memories into LLM prompts, this increases the chance of unrelated or sensitive memories being selected across workflows, causing prompt-context leakage or cross-role contamination.

Vague Triggers

High

Confidence: 97% confidence
Finding: The "echo" profile has empty contexts, empty exclusions, and no boost constraints, making it effectively unconstrained and likely eligible to match or retrieve from the full memory corpus depending on hook logic. In this skill's context—a memory engine that stores, searches, and injects contextual memories into prompts—such a catch-all profile can expose irrelevant, private, or cross-tenant data to an agent session and is especially dangerous because it undermines all intended segmentation.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The bootstrap hook automatically rewrites MEMORY.md and creates additional context files inside the workspace without any explicit user consent or runtime disclosure. In an agent environment, this changes prompt-visible state and can silently influence downstream model behavior, which is a real integrity and transparency risk even if it is part of the feature design.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code persists full action context, including parsed tool arguments, into the database via `action_context`. Tool arguments commonly contain secrets, tokens, credentials, personal data, or sensitive operational details, so storing them wholesale increases exposure in the event of database compromise, overbroad internal access, logs/backup leakage, or unintended later retrieval. In this skill's context, the danger is elevated because the system is specifically designed to retain and resurface contextual memories, which can cause sensitive command parameters to persist and be reintroduced into future prompts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal