自动记忆进化

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its memory-saving purpose, but it also creates scheduled automation that can run unrelated local scripts outside the reviewed package.

Review the scripts before installing. Only enable the cron jobs if you are comfortable with automatic edits to ~/.openclaw/workspace/memory and ~/.openclaw/workspace/MEMORY.md, and consider removing the heartbeat event handlers that run workspace scripts or changing the idle-save path to call the packaged daily-evolution.py directly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill advertises scheduled scripts that read and write files and are executed via cron, but the manifest does not declare corresponding permissions or prominently disclose those capabilities. Undeclared shell execution and file-write behavior undermines informed consent and review, making it easier for a seemingly simple memory skill to perform broader persistence and automation than users expect.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose is narrow—summarizing discussions and updating memory files—but the analyzed behavior indicates broader event handling, heartbeat state, autosave triggers, maintenance tasks, and invocation of unrelated scripts. This mismatch is dangerous because users may grant trust to a note-organizing skill that actually establishes a more general automation and persistence surface.

Context-Inappropriate Capability

Medium

Confidence: 71% confidence
Finding: The skill's stated purpose is local memory organization, yet it includes capability to access chat and session history through an external CLI. Even though those functions are not currently used in generate_report(), this broadens the accessible data surface beyond the declared need, increasing privacy risk and making the skill more dangerous in agent contexts where tools may be repurposed or later wired in.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: This heartbeat script acts as an event router for multiple unrelated capabilities, including launching auxiliary Node scripts. Bundling unrelated execution paths into a background maintenance component increases attack surface and makes it easier for a caller who can influence event names to trigger privileged or unexpected behavior through a trusted automation path.

Intent-Code Divergence

Medium

Confidence: 80% confidence
Finding: The script prints success indicators for emergency checks, memory organization, log cleanup, and daily maintenance even though those steps are not actually performed at that point. Misleading status output can hide failed or skipped maintenance, causing operators or higher-level agents to trust that protective actions occurred when they did not, which weakens security monitoring and incident response.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The activation criteria are broad phrases like automatic daily summary, memory updates, and idle-triggered save, which can cause the skill to run in contexts the user did not specifically request. Overbroad triggers increase the chance of unintended background execution, file writes, and collection or persistence of session-derived data.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill description explains automation but does not clearly warn that it will write to persistent files and may auto-save based on user inactivity. Missing disclosure is risky because users may not realize their discussion data is being persisted or updated without an immediate command, which affects privacy, auditability, and consent.

Session Persistence

Medium

Category: Rogue Agent
Content: Run daily-evolution.py to: - Read memory files from `~/.openclaw/workspace/memory/` - Extract discussion topics from markdown files - Write summaries to `~/.openclaw/workspace/MEMORY.md` ### 2. Heartbeat Check Script
Confidence: 90% confidence
Finding: Write summaries to `~/.openclaw/workspace/MEMORY.md` ### 2. Heartbeat Check Script Run heartbeat-check.py to: - Check user activity every 30 minutes - Track last message timestamp - Trigger auto-sav

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal