Security audit

Conversation Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed productivity tool, but it repeatedly profiles conversations, writes long-term memory, and may send task details to Feishu without enough user control.

Install only if you intentionally want OpenClaw to analyze your conversations, infer personal and work patterns, and save those conclusions to USER.md, MEMORY.md, and HEARTBEAT.md. Before enabling cron or Feishu reminders, confirm who receives messages, review what will be written, and decide how you will correct or delete sensitive or inaccurate memory entries.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (14)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill performs capabilities beyond passive text analysis, including file access, scheduled execution, and notification behavior, yet it declares no permissions. This creates a trust and review gap: operators cannot accurately assess what data the skill may access or where information may flow, increasing the chance of unintended exposure of conversation-derived data.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The declared purpose understates operational behaviors such as resetting counters, scheduled background analysis, accessing additional state files, and sending Feishu notifications. That mismatch is dangerous because users may consent to summarization while not realizing the skill persists inferred profile data, runs automatically, and can transmit task-related information externally.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The script introduces Feishu notification behavior in its generated task flow even though the skill’s stated purpose is conversation analysis and memory management. In an agent environment, adding an external notification side effect can leak task state or user-derived information to a third-party channel without clear user consent or manifest disclosure, expanding the data exposure surface.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README advertises automatic analysis, memory writes to USER.md/MEMORY.md, and Feishu notifications, but it does not present a clear up-front warning about the privacy and persistence implications for end users. This can lead users to enable a skill that continuously stores inferred personal data and triggers outbound notifications without informed consent.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Manual triggers such as 'summary' and 'check tasks' are common phrases that can easily appear in normal conversation, causing accidental activation. In this skill, accidental triggering is more harmful because activation can lead to memory writes, profile inference, and external task notifications without a deliberate user action.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill explicitly analyzes personality, emotional state, background, and future goals, then merges those inferences into persistent memory files, but the description does not clearly warn users about this sensitive profiling. This is dangerous because inferred personal data can be inaccurate, highly sensitive, and retained long-term without meaningful user awareness or consent.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill can send Feishu notifications about incomplete tasks, but the description does not clearly disclose that conversation-derived task information may leave the local memory context. External notifications create an added disclosure boundary, and even limited task summaries may expose sensitive project or personal information.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The manual trigger phrase includes the very broad term “总结” (“summarize”), which can easily appear in ordinary conversation and may cause the skill to run unintentionally. Because this skill performs sensitive actions such as analyzing user traits, updating memory files, and checking tasks, accidental invocation can lead to unexpected data processing and persistence.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill description states it will analyze personal traits, emotions, history, and plans, write those results into memory files, and send notifications, but it does not present any clear privacy notice, consent requirement, or data-handling warning. This is dangerous because users may be profiled and have sensitive personal information retained or shared externally without informed consent.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The documentation enables scheduled automatic analysis and outbound task notifications, but provides no visible warning, approval flow, or user confirmation for these recurring operations. In context, this increases the risk of silent collection, repeated profiling, and external disclosure of task or personal context over time.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill is designed to infer and persist broad categories of sensitive user information, including personality, background, emotional state, current activities, and future goals, into memory files. Persistent storage of inferred profiling data materially increases privacy risk, creates a durable surveillance record, and can expose highly sensitive information if the workspace or memory files are later accessed by other tools, skills, or attackers.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The HEARTBEAT instructions normalize repeated, automated analysis of conversations and appending inferred user and task information into persistent memory files. This makes the risk worse because profiling and storage are not one-off actions but recurring background behavior, increasing the volume of sensitive data retained and the likelihood of misuse or unintended disclosure.

Ssd 3

Medium

Confidence: 88% confidence
Finding: The skill is designed to analyze broad conversation content, persist conclusions, and notify on task state, which naturally increases the chance that sensitive details from ordinary chats are stored or shared outside their original context. The risk is elevated because the analysis scope includes personality, emotional state, work background, and predicted needs, all of which can amplify privacy leakage and overcollection.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill is designed to broadly collect, infer, and persist highly sensitive user information, including personality, communication style, skills, background, emotions, current activities, and future plans, across USER.md, MEMORY.md, HEARTBEAT.md, session history, and Feishu notifications. In this context, the breadth of profiling, long-term retention, and potential external transmission make the behavior materially dangerous even if intended as a productivity feature.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal