ClawHub

Faya Session Memory

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local session-memory tool, but it broadly copies past conversations into persistent searchable files and analyzes cron prompts without enough scoping or privacy controls.

Install only if you intentionally want OpenClaw conversation history made durable and searchable. Before running it on real sessions, review and edit the hardcoded people/projects and the hardcoded speaker label, test on a narrow subset, add exclusions or redaction for secrets and private data, inspect generated memory files, and enable cron only after deciding the retention scope and how to delete or disable the generated memory artifacts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the user/agent to read session logs from the home directory and write converted transcripts, indexes, and reports, but it does not declare those file and environment capabilities. Undeclared read/write access reduces transparency and prevents users or policy systems from making an informed consent decision about persistent data handling.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior goes beyond session-memory indexing into scanning unrelated cron job configuration and generating rewritten prompt guidance, while also overstating that it 'sets up cron jobs' when it only suggests tasks. This mismatch can mislead operators about both the scope of data access and the operational changes the skill may cause, increasing the chance of unauthorized analysis of unrelated automation content.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The cron optimizer is outside the core session-memory purpose and analyzes the user's broader cron configuration, which may contain unrelated tasks, secrets in prompts, or sensitive operational context. Expanding from transcript indexing into general job inspection creates unnecessary access to data unrelated to the requested memory feature.

Intent-Code Divergence

Low
Confidence
74% confidence
Finding
Saying the optimizer 'never auto-modifies' jobs does not eliminate the privacy risk from scanning the full cron configuration. Even read-only inspection can expose sensitive prompts, schedules, project names, and operational details to the agent or derived reports.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger conditions are broad enough that the skill could activate for generic memory or recall requests without making clear that activation causes persistent transcript conversion and indexing. That increases the risk of collecting and storing sensitive conversation data in cases where the user only wanted ephemeral recall assistance.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The setup instructions tell the operator to scan all session logs and create persistent searchable transcripts and indexes, but they do not foreground that this may retain sensitive conversational content long term. Missing notice undermines informed consent and can lead to accidental expansion of data retention beyond user expectations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes a human-readable glossary and a JSON scan cache derived from all session transcripts, but it provides no consent flow, warning, retention notice, or minimization controls before persisting potentially sensitive conversational content. In the context of a long-term memory skill, this increases privacy risk because personal names, decisions, topics, and timelines are intentionally transformed into durable, searchable records that may outlive the original session expectations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script persistently copies session transcripts containing user and assistant content into a searchable memory directory and explicitly triggers re-indexing, yet there is no consent gate, warning, redaction step, or sensitivity filtering. This can cause secrets, personal data, credentials, or confidential project details from prior chats to become durably stored and easier to retrieve than the original transient session logs.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill's core design is to preserve and retrieve conversation content across sessions, including names, decisions, and file paths that would otherwise age out of context. In security terms, this increases persistence and discoverability of potentially sensitive user-provided data, especially if users were not expecting durable cross-session storage.

Ssd 3

Medium
Confidence
94% confidence
Finding
Converting all session logs into searchable Markdown transcripts materially broadens access to past conversations by making them easy to query and index. This can expose secrets, personal data, or confidential project information that appeared in prior chats, even if the original logs were less accessible or less routinely searched.

Ssd 3

Medium
Confidence
90% confidence
Finding
The glossary aggregates people, projects, topics, timelines, and decisions across transcripts, creating a high-value summary index of sensitive organizational knowledge. Such structured summarization can make private information easier to discover and correlate than the raw transcripts themselves.

Ssd 3

Medium
Confidence
89% confidence
Finding
Directing the agent to flush memory before compaction encourages automatic persistence of current conversation content precisely when it might otherwise disappear. Without strict controls, this can capture sensitive details reflexively and store them across sessions without a fresh user confirmation.

Ssd 3

Medium
Confidence
94% confidence
Finding
The file's stated purpose is to index all session transcripts into persistent memory artifacts, which inherently creates a privacy-sensitive aggregation point for identifiable and behavioral data. Even if intended as a feature, consolidating historical conversations into reusable memory broadens exposure, makes later retrieval easier, and raises the consequences of unauthorized access or misuse.

Ssd 3

Medium
Confidence
90% confidence
Finding
The hardcoded people glossary contains named individuals and descriptive identifiers, and the code even references a dedicated detail log for one person, encouraging persistent profiling of real people across sessions. In a memory skill, this is more dangerous because it normalizes long-term storage and indexing of personal data without any built-in consent, sensitivity classification, or safeguards around who is being tracked.

Ssd 3

Medium
Confidence
95% confidence
Finding
The glossary generator aggregates people, projects, topics, dates, and extracted decisions into a single browsable document, materially increasing discoverability of sensitive history compared with leaving data dispersed in raw transcripts. This kind of summarizing memory system can amplify harm from unauthorized access because it surfaces who was discussed, what was decided, and when, making sensitive context easier to mine at scale.

Ssd 3

Medium
Confidence
94% confidence
Finding
The generated preamble instructs downstream cron jobs to pull broad prior session context, including people, projects, and decisions, before completing their task. In a persistent-memory skill, this increases the chance that unrelated or sensitive historical information is injected into routine outputs, effectively widening data exposure across tasks without scoping, minimization, or consent checks.

Ssd 3

Medium
Confidence
92% confidence
Finding
The report template operationalizes and normalizes a pattern of prepending memory-search instructions to cron prompts based on session transcripts and glossary data. That makes cross-session disclosure more likely at scale, because operators are encouraged to propagate prior private context into many automated workflows without any built-in data classification or need-to-know enforcement.

Ssd 3

Medium
Confidence
96% confidence
Finding
This skill's stated purpose is long-term memory persistence, which makes automatic copying of full session content into searchable storage especially risky because it increases the accessibility and lifetime of sensitive conversational data. In this context, the behavior is not incidental; it is core functionality, so without strong privacy controls it meaningfully expands the attack surface for local compromise, unintended recall, or over-collection of user data.

Session Persistence

Medium
Category
Rogue Agent
Content
### Step 3: Set up cron jobs for auto-updates

Create two cron jobs (use a cheap model like Gemini Flash):

**Job 1: Session sync + glossary rebuild (every 4-6 hours)**
```
Confidence
84% confidence
Finding
Create two cron jobs (use a cheap model like Gemini Flash): **Job 1: Session sync + glossary rebuild (every 4-6 hours)** ``` Task: Run `python3 scripts/session-to-memory.py --new` then `python3

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal