Back to skill

Security audit

Elite Longterm Memory

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate AI memory skill, but it broadly persists user context and encourages third-party memory services without enough consent, privacy, or safety guidance.

Install only if you want an agent to retain project and preference context across sessions. Before enabling Mem0, SuperMemory, or automatic extraction, decide whether your prompts, code, business context, and personal details may be uploaded or retained by those services. Add your own rule requiring explicit approval before saving sensitive information, and avoid running the documented rm -rf cleanup command unless you have backed up memory data and intend to delete the vector store.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Rogue AgentSelf-Modification, Session Persistence
Findings (13)

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The skill markets itself as a comprehensive, bulletproof memory system with multiple integrations, but the file is only instructional markdown and does not implement or safely gate those behaviors. This can mislead users or agents into assuming durable storage, cloud sync, or privacy controls exist when they do not, causing unsafe persistence decisions and overtrust in the skill.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill instructs use of external cloud APIs and npm packages for automatic fact extraction and storage, expanding data flows beyond the declared local memory purpose. That broadens the trust boundary and can cause sensitive conversation content to be transmitted to third parties without strong consent and governance.

Intent-Code Divergence

Low
Confidence
78% confidence
Finding
The document presents cloud backup as optional, then recommends a separate Mem0 auto-extraction workflow that also sends conversation-derived data to an external service. That inconsistency can cause users to underestimate when remote persistence occurs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README encourages integrating Mem0 for automatic fact extraction and describes cloud-backed memory behavior, but it does not clearly warn that conversation content and extracted facts may be transmitted to and stored by third-party services. In an AI memory skill, that omission is materially risky because users may route sensitive prompts, code, credentials, or business context into external systems without informed consent or data-handling controls.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README markets optional cloud backup/sync as a feature without disclosing that stored memory may be uploaded to remote infrastructure. Because this skill is specifically designed to retain long-term agent context, the synchronized data could include sensitive conversation history, source code, internal decisions, or secrets, making the missing warning security-relevant.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes collecting preferences, decisions, facts, and syncing them to external services, but provides no meaningful privacy notice, consent workflow, retention guidance, or warnings about sensitive data capture. This is dangerous because agents could persist personal or confidential information by default across local and cloud stores.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented `rm -rf ~/.openclaw/memory/lancedb/` command irreversibly deletes memory data, but the skill does not clearly warn about permanence, backup expectations, or confirmation steps. An agent or user following the instructions could destroy stored context unintentionally.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill instructs agents to persist user conversation details and preferences across multiple stores and optional cloud services, including automatic extraction. This creates a broad data retention mechanism that can capture sensitive information without minimization or contextual consent.

Ssd 3

Medium
Confidence
96% confidence
Finding
The WAL protocol requires writing user details before responding whenever preferences, decisions, deadlines, or corrections are provided. This default logging behavior is dangerous because it normalizes broad, immediate persistence of user inputs, including potentially sensitive or transient information.

Session Persistence

Medium
Category
Rogue Agent
Content
User: "Let's use Tailwind for this project, not vanilla CSS"

Agent (internal):
1. Write to SESSION-STATE.md: "Decision: Use Tailwind, not vanilla CSS"
2. Store in Git-Notes: decision about CSS framework
3. memory_store: "User prefers Tailwind over vanilla CSS" importance=0.9
4. THEN respond: "Got it — Tailwind it is..."
Confidence
82% confidence
Finding
Write to SESSION-STATE.md: "Decision: Use Tailwind, not vanilla CSS" 2. Store in Git-Notes: decision about CSS framework 3. memory_store: "User prefers Tailwind over vanilla CSS" importance=0.9 4. THE

Unpinned Dependencies

Low
Category
Supply Chain
Content
"typescript"
  ],
  "optionalDependencies": {
    "mem0ai": "^1.0.0"
  },
  "author": "NextFrontierBuilds",
  "license": "MIT",
Confidence
83% confidence
Finding
"mem0ai": "^1.0.0"

Tool Parameter Abuse

High
Category
Tool Misuse
Content
memory_recall query="*" limit=50

# Clear all vectors (nuclear option)
rm -rf ~/.openclaw/memory/lancedb/
openclaw gateway restart

# Export Git-Notes
Confidence
97% confidence
Finding
rm -rf ~

Tool Parameter Abuse

High
Category
Tool Misuse
Content
memory_recall query="*" limit=50

# Clear all vectors (nuclear option)
rm -rf ~/.openclaw/memory/lancedb/
openclaw gateway restart

# Export Git-Notes
Confidence
97% confidence
Finding
rm -rf ~/.openclaw/memory/lancedb/

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.destructive_delete_command

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
SKILL.md:293