Openclaw Memory Transfer

Security checks across malware telemetry and agentic risk

Overview

This memory-migration skill is coherent, but it can automatically read broad local assistant files and process very sensitive history, so it needs user review before installation.

Install only if you intentionally want to migrate assistant memory. Before using local-agent migration, ask the agent to list exact files and directories before reading them, skip broad home-directory scans, and review/redact all imported data before writing it to OpenClaw memory. Be careful with full ChatGPT ZIP exports because they can contain personal, business, and third-party information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (29)

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill directs automatic reading of local assistant memory/configuration files without an explicit consent checkpoint tied to the actual scan. That exceeds reasonable user expectations for a migration skill and can expose sensitive prompts, project notes, or personal data from local files that the user did not knowingly choose to import.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The generic `find ~` behavior searches broadly across the user's home directory for instruction and rules files unrelated to a specific migration source. This broad discovery scope can sweep in unrelated repositories or private configuration files, creating unnecessary collection of sensitive local data.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: Telling the user 'No user action needed' minimizes the significance of local file access and undermines informed consent. This increases the chance that users will unknowingly authorize privacy-invasive behavior because the documentation frames scanning as harmless and automatic.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README states that local tools such as Claude Code, Cursor, and Windsurf are handled via 'Auto-Scan' and says the user must do 'nothing — automatically', but it does not warn that local files or tool data may be scanned and imported. In a memory-migration skill, this is especially risky because users are primed to trust broad data ingestion, so undocumented automatic local scanning can lead to collection of sensitive workspace data, tokens, prompts, or private project context without informed consent.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: La activación sugerida, como "Vengo de ChatGPT", es suficientemente genérica como para aparecer en conversación normal y disparar el skill sin que el usuario pretenda iniciar una migración. En un skill que trata con importación de memoria y posibles fuentes locales/archivos, una activación accidental aumenta el riesgo de iniciar flujos de acceso a datos personales o de solicitar exportaciones sensibles innecesariamente.

Missing User Warnings

High

Confidence: 94% confidence
Finding: La descripción promociona extraer, limpiar e importar recuerdos de otros asistentes sin advertencias claras sobre el tratamiento de datos personales, el alcance de la recolección o los riesgos de privacidad. Dado que el skill maneja historial, preferencias, proyectos y potencialmente archivos ZIP de exportación o escaneo automático local, la falta de transparencia y consentimiento informado puede llevar a exposición o procesamiento indebido de información altamente sensible.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The activation phrases are broad and map to common user statements about switching assistants or importing memory, which increases the chance of the skill triggering during ordinary conversation without a clearly bounded consent flow. In this skill’s context, accidental activation is more dangerous because the documented behavior involves collecting and importing potentially sensitive personal and conversational data.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The description markets 'frictionless' migration but does not clearly warn that the skill may collect, process, and persist sensitive personal, behavioral, and conversational data from prior AI services. In a memory-migration skill, the absence of prominent disclosure undermines informed consent and increases the risk that users expose data they did not realize would be imported or stored.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly promotes extracting and importing memory data from other AI assistants, but it provides no privacy notice, no warning about sensitive content in exports, and no guidance on consent or data minimization. Because these exports can contain personal profiles, conversation history, projects, credentials, or other sensitive information, the omission increases the risk of users uploading more data than intended and having it ingested into another system unsafely.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The README presents automatic scanning of local-agent sources such as Claude Code, Cursor, and Windsurf as requiring 'nothing — automatic' without warning that local files, histories, or assistant data may be accessed and imported. In this skill context, that makes the issue more dangerous because it normalizes silent or opaque collection from local environments, which may expose sensitive workspace data, source code, secrets, or private conversations beyond what the user expects.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrases are broad migration-related requests and the README does not define clear boundaries for when the skill should activate or what confirmation is required before accessing prior-assistant data. In a skill centered on importing sensitive memory and preferences, vague activation increases the chance of unintended invocation and privacy-impacting actions based on casual user statements.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The README advertises extracting everything a prior assistant knows about the user and importing it into OpenClaw, but provides no privacy, consent, retention, or system-impact warning. Because the data involved can include identity details, habits, projects, and sensitive conversation-derived inferences, presenting this as frictionless migration materially increases the risk of over-collection and unsafe handling of personal data.

Missing User Warnings

High

Confidence: 97% confidence
Finding: Listing Claude Code, Cursor, and Windsurf as 'automatic' scan sources without explaining which local files, directories, or application data will be read is a significant transparency and consent failure. In the context of local agent environments, such scanning could expose prompts, code, tokens, project metadata, and other sensitive workspace artifacts, making the skill more dangerous than a simple cloud export parser.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The README uses very broad natural-language triggers such as 'memory transfer', 'import my memory', and 'switch from ChatGPT', which can match ordinary user conversation and invoke the skill unexpectedly. In a skill that handles highly sensitive personal history and migration workflows, accidental activation increases the chance of unnecessary data collection prompts or privacy-invasive actions.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README advertises automatic scanning of local config files for Claude Code, Cursor, and Windsurf with 'Nothing — automatic,' but does not present a prominent upfront consent and privacy warning at the point of description. Because local config and workspace files may contain secrets, personal context, project metadata, or other sensitive artifacts, this creates a meaningful privacy and data-minimization risk.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases are broad migration-related statements such as switching from another AI or importing memory, which can cause the skill to activate during ordinary conversation rather than only after clear user consent. In the context of a skill that imports sensitive personal memory and may initiate export or scanning workflows, accidental invocation increases the risk of unintended data access or collection.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The README advertises automatic scanning for local AI tools with 'nothing' required from the user, but does not warn that local files, conversation histories, or other sensitive data may be searched and ingested. In a memory-migration skill, this omission is especially dangerous because users may not realize the tool can inspect local data sources and transfer personal or confidential information without an informed opt-in.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README says local agents such as Claude Code, Cursor, and Windsurf will be 'automatically scanned' with 'nothing you need to do,' but it does not clearly explain what files are read, what data may be collected, or the privacy consequences. In a memory-migration skill, silent or poorly disclosed local scanning is risky because it can pull sensitive workspace content, prompts, identities, or configuration data beyond what the user reasonably expects.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill instructs privacy-impacting local scans without a dedicated warning or explicit consent at the moment of access. For a migration workflow, this is especially dangerous because the files may contain durable memories, user profiles, project notes, and system instructions from other tools.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The README explicitly encourages transferring broad personal memory from other assistants, including writing style, projects, and preferences, which can include sensitive or regulated data. This is risky because the skill normalizes bulk ingestion of historical conversational context into a new system without clearly limiting scope to only necessary data.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The documented migration scope includes identity, behavioral patterns, projects, habits, and tool preferences, all of which are sensitive profiling data that can materially affect privacy and security if over-collected or stored insecurely. In this skill’s context, the danger is heightened because these categories are mapped directly into persistent memory files, making long-term retention and misuse more likely.

Ssd 3

Medium

Confidence: 84% confidence
Finding: The prompt-guided export flow tells users to ask another AI to output everything it knows about them in structured form, which can induce over-collection of personal, behavioral, or sensitive data beyond what is necessary for migration. Even if user-initiated, the design encourages bulk exfiltration from another service into this system without strong minimization boundaries.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The README promotes extraction of full conversation history and personal patterns, including writing style, topics, habits, corrections, and project details, which is a large aggregation of sensitive behavioral data. In the context of a memory-transfer skill, this makes the issue more dangerous because the skill's core purpose is long-term persistence of intimate user context, increasing privacy harm if mishandled or over-collected.

Ssd 3

High

Confidence: 95% confidence
Finding: The documentation instructs the agent to give the user a prompt for the old AI to return broad information about the user, which encourages mass extraction and re-transfer of personal profile data. Even if user-initiated, this creates a high-risk pathway for overcollection, accidental disclosure of sensitive personal information, and transfer of data that may violate user expectations or source-platform policies.

Ssd 3

High

Confidence: 97% confidence
Finding: The README explicitly claims the system can extract and migrate 'everything' the old AI knows about the user, which normalizes comprehensive harvesting of personal memory data. In this skill context, that is especially dangerous because the feature is designed to centralize long-term personal context, increasing the chance of importing sensitive identifiers, behavioral history, confidential project details, or other data the user did not intend to persist elsewhere.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal