Agent Daily Retro

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent daily-retrospective purpose, but it asks to read private session history, persist user and agent profiles, alter core agent memory files, and enable scheduled external reporting without enough consent or scoping.

Install only after deciding you are comfortable with a daily tool reading prior OpenClaw conversations and writing conclusions into persistent memory and agent configuration. Disable or replace the bundled Feishu webhook, avoid root cron unless truly needed, run manually first, review generated changes before keeping them, and keep backups of MEMORY.md, USER.md, SOUL.md, and AGENTS.md.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (15)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The configuration hard-codes an external Feishu webhook and enables outbound delivery by default, which creates a clear exfiltration path from the agent environment to a third-party endpoint. In the context of a retrospective system that reads sessions and updates memory/profile files, this is especially risky because summarized user, agent, or session data could be transmitted off-host without clear consent or scope controls.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill is configured to update multiple persistent memory/profile files (MEMORY.md, USER.md, SOUL.md, AGENTS.md), which expands its ability to alter long-lived agent and user state beyond a narrowly bounded purpose. Because the description is broad and the files appear to store identity, memory, and agent behavior data, this creates a meaningful risk of unintended persistence, profile corruption, or stealthy prompt/context poisoning.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The test harness hard-codes a path under /root/.openclaw/media/inbound and reads a real session file, which directly exposes local conversation data. Even though this is presented as a test utility, bundling code that targets live inbound session storage creates an unsafe data access path and can normalize or enable unauthorized inspection of unrelated user conversations.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide instructs users to configure a Feishu webhook and enables external output channels, but it does not clearly warn that retrospective content may include sensitive session data, user profile data, or agent memory that will be transmitted off-host. In this skill context, the risk is elevated because the documented purpose is daily review of agent sessions and memory files, which are likely to contain confidential information.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The cleanup commands use find ... -delete to permanently remove backup and lock files, but the guide does not warn that deletion is irreversible or advise users to verify the target paths first. This can cause unintended loss of recovery artifacts or operational state, especially if users adapt the commands incorrectly or run them in a misconfigured workspace.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The upgrade instructions remove the entire agent-retro directory with rm -rf without an explicit warning about irreversible deletion, integrity verification, or confirmation that required files have been backed up. In practice, this can destroy local modifications, embedded secrets, or supporting files if backups are incomplete or restoration fails.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The README states that the skill automatically analyzes prior conversation records and sends output to Feishu, but it does not clearly warn that potentially sensitive conversation content will be processed and externally transmitted. In a skill that profiles users and summarizes chat history, lack of explicit privacy notice and consent creates a real risk of unintended disclosure.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation says the skill automatically updates persistent files such as MEMORY.md, USER.md, SOUL.md, and AGENTS.md, but it does not prominently warn users that it will modify long-lived state. Silent persistent modification is security-relevant because it can alter future agent behavior, preserve sensitive data, or corrupt important configuration without informed approval.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to read private session logs from a user directory and persist summarized conclusions into multiple memory and configuration files, but it provides no user-facing consent, privacy notice, data-minimization rule, or scope restriction. This creates a real privacy and integrity risk because sensitive historical conversations may be harvested and then permanently propagated into workspace files without explicit authorization or review.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill processes historical session data and persists derived summaries to disk automatically, but there is no consent prompt, disclosure, or retention control visible to the user. In an agent environment, this creates a privacy risk because sensitive conversation content may be silently transformed into long-term memory files outside the user's immediate awareness.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The code writes a generated '用户画像' and 'Agent画像' into persistent markdown files, and the sample profiling logic includes personal attributes such as sleep schedule and location. Persisting inferred personal data without explicit warning or consent increases privacy harm, especially if the workspace is backed up, shared, or later consumed by other tools.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The README describes collecting conversation data, generating user and agent profiles, and sending retrospective summaries to Feishu in natural language. That creates a real semantic exfiltration path: sensitive information from chats can be repackaged into summaries and disclosed to an external service, potentially bypassing simpler data-handling expectations.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The document explicitly instructs sending daily retrospective reports derived from conversation history to Feishu, which is an external disclosure channel. Because the source material is user conversations and profiling output, the context makes this materially dangerous: summaries may still contain personal, confidential, or operationally sensitive information even if raw logs are not sent.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The skill summarizes user conversations and stores those summaries in long-term memory files, including generated user-profile content. This expands the lifetime and visibility of potentially sensitive data, increasing exposure if local files are accessed by other users, synced to cloud storage, or reused by downstream agents without strict boundaries.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The analyzer explicitly derives a user profile from raw conversation history, including inferred location, work patterns, and behavioral traits, then emits that profile in natural language. This creates a privacy leakage mechanism because sensitive or unnecessary inferences can be surfaced, stored, or shared beyond the original scope of the conversations being analyzed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal