Back to skill

Security audit

Automated daily memory backfill for OpenClaw sessions

Security checks across malware telemetry and agentic risk

Overview

The skill does what it advertises: rebuilds OpenClaw memory from local session logs, with sensitive but disclosed optional LLM summarization.

Install only if you want this tool to process your OpenClaw chat history into persistent memory. Start with compare or --dry-run, review generated files before relying on them, avoid cron until you trust the output, and use OpenAI/Anthropic or any remote OpenClaw model only if you accept sending sanitized session context and preserved notes to that provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes capabilities that include reading session logs, writing memory files, invoking shell commands, accessing environment variables, and optionally sending content to external APIs, yet no explicit permissions are declared. That creates a transparency and consent gap: users may run a skill with broader data and system access than the manifest communicates.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The declared purpose centers on memory reconstruction, but the documented behavior also includes extraction/search, transition reporting, validation, stats, subprocess use, and direct API integrations. This mismatch weakens informed consent and can hide broader data-processing or exfiltration paths behind an apparently narrower description.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The `extract` command provides general-purpose conversation dumping from session logs in multiple formats, which is broader than the stated memory-sync purpose. Because session logs can contain sensitive prompts, tool outputs, tokens, or operational context, this creates a direct local exfiltration path and increases the blast radius of the skill.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Spawning the external `openclaw` CLI to summarize logs extends the skill from offline analysis into active orchestration of another agent/tool. That broader capability can send sensitive session material outside the immediate process and introduces trust in external configuration and behavior not constrained by this file.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README recommends unattended cron-based backfill runs that write to memory files and supports overwrite/regeneration flows, but it does not prominently warn that user-authored memory may be modified or replaced. Automated modification of persistent files increases the risk of silent data corruption, loss of hand-written notes, or unreviewed propagation of bad summaries.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation advertises OpenAI and Anthropic summarization backends without a clear privacy warning that session logs and preserved notes may be transmitted to third-party providers. Because the tool processes historical conversations and memory content, external summarization can expose sensitive user data even if some secret patterns are redacted.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This path sends conversation logs and possibly preserved handwritten notes to an external/OpenClaw summarization subprocess without a clear user-facing disclosure at the transmission point. Even with sanitization, natural-language content may still contain sensitive business or personal context that users would not expect to leave the local workflow.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The OpenAI/Anthropic API summarization path transmits conversation content to external providers without an explicit warning at the call site. Since the logs are reconstructed from agent sessions, they may include confidential prompts, tool outputs, or operational context whose disclosure could materially impact users.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The Anthropic summarization function sends prepared conversation content and optional preserved notes to a remote API without a clear user-facing warning in that code path. This is dangerous because sanitization cannot guarantee removal of all sensitive contextual information embedded in natural language.

Ssd 3

High
Confidence
98% confidence
Finding
The prompt builder explicitly includes conversation logs and preserved handwritten notes and instructs the LLM to preserve/incorporate them. That creates a strong data leakage path because free-text notes and logs may carry secrets, personal data, or sensitive operational context that pattern-based sanitization misses.

Context Leakage

High
Category
Data Exfiltration
Content
| `backfill --since YYYY-MM-DD` | Backfill from date to present |
| `backfill --all` | Backfill all missing dates |
| `backfill --incremental` | Backfill only changed dates since last run |
| `extract` | Extract conversations matching criteria |
| `summarize --date YYYY-MM-DD` | Generate LLM summary for a single day |
| `transitions` | List model transitions |
| `validate` | Check memory files for consistency issues |
Confidence
86% confidence
Finding
Extract conversation

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.