Back to skill

Security audit

File-system + vector-powered memory skill for OpenClaw — semantic recall, daily journaling, and safeguard flushing, all running locally via Ollama

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local memory skill, but it needs review because its file-isolation and flush guarantees are weaker than advertised.

Install only if you are comfortable with persistent local memory. Use a private memoryDir, avoid symlinks inside it, review stored Markdown files, and do not rely on the current flush function as proof that session data was saved until that implementation is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation exposes capabilities beyond simple file-based memory management, including network access to a local Ollama HTTP service, environment/config access, and token/session-state awareness, yet no permissions are declared. This weakens user consent and platform trust boundaries because operators may enable a skill without understanding that it can access local services and broader runtime context.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The stated purpose is a memory system, but the behavior also includes contacting a local HTTP service for embeddings and reading global configuration/session status. That mismatch is security-relevant because users may not expect metadata exposure, local service interaction, or contextual introspection, which can expand attack surface and leak sensitive information to auxiliary components.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file advertises 'memory flush to filesystem', but the implementation never persists session data or writes any record to disk. In a memory-management skill, this creates a security-relevant integrity issue because operators may rely on flush for retention, auditability, or safe context compaction, yet sensitive context may be lost or remain only in volatile state while the function reports success.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The 'memoryFlush' function claims to execute a flush and returns success, but it only logs messages and constructs an unused timestamp string. This mismatch is dangerous because higher-level automation may delete, compact, or trust state transitions based on a false success signal, causing data loss, broken recovery expectations, or incorrect assumptions about where sensitive memory is stored.

Intent-Code Divergence

Low
Confidence
94% confidence
Finding
The code comment claims it resolves symlinks to a real path, but it only applies path.resolve(), which normalizes path segments and does not dereference symbolic links. As a result, a symlink placed inside the memory directory could point outside it, bypassing the intended directory confinement and allowing unauthorized file reads when memoryGet() calls fs.readFile() on the validated path.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The top-level directory check only validates the initial searchDir, but recursive traversal uses Dirent metadata and never revalidates that nested paths remain under the base directory. If an attacker can place symlinks or special filesystem entries inside the memory tree, the scan may follow them and read Markdown files outside memoryDir, defeating the intended containment boundary.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly advertises automatic loading and automatic persistence of conversation memory, including daily logs and group memories, but does not clearly warn users about privacy, retention, or consent implications. In a memory-management skill, this context makes the issue more dangerous because the feature is core behavior and may capture sensitive user or group data by default without informed user awareness.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill advertises automatic loading and persistence of conversation memory, including flush-on-threshold behavior, without a prominent privacy warning about what data may be retained, for how long, and under what triggers. In a memory skill, this context makes the issue more serious because users are likely to store conversational, preference, or project data that may be sensitive and persisted automatically.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest advertises automatic memory persistence, semantic search, and session lifecycle hooks, but it does not clearly disclose to users that conversation-derived data may be stored locally and reused across sessions. This is dangerous because users may unknowingly expose sensitive prompts, credentials, or personal data to persistent local storage and vector indexes, increasing privacy and data retention risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The default configuration writes memory to a fixed local path under the user's home directory without warning that user content will be persisted there. This can lead to silent storage of sensitive data on disk, where other local processes, backups, or shared accounts may access it depending on filesystem permissions and operational practices.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill automatically loads prior memory at session start and flushes memory at session end, creating cross-session persistence without an explicit consent or warning mechanism. In context, this makes the issue more dangerous because the feature is specifically designed to carry forward prior data, which can unintentionally reintroduce secrets, personal information, or stale sensitive context into future sessions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code logs the raw search query and the number of discovered memory files, which can expose sensitive user intent, personal terms, or filesystem usage patterns to logs that may be retained or shared. In a memory/search system, queries are especially likely to contain private information, so logging them increases privacy and data leakage risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
Vector search embeds both the user query and chunks of memory file contents via embedText(), which likely sends sensitive data to an external model or service depending on implementation. In a memory system, those files may contain highly personal or confidential notes, so silent transmission to an embedding backend can cause significant confidentiality loss and compliance issues.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill exposes a persistent file-writing primitive with an overwrite mode but provides no user-facing warning, approval requirement, or path-safety constraint. In an agent setting, this can lead to silent memory tampering, destruction of prior records, or persistence of attacker-influenced content that affects future behavior, making the memory system more dangerous than a transient write tool.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.