Memory Dreaming

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed memory-maintenance tool, but it gives an autonomous agent broad access to private logs and transcripts and lets it silently rewrite durable memory and optional Obsidian notes.

Install only if you want an autonomous memory process reading your OpenClaw logs, learnings, plans, and session transcript matches. Keep Obsidian sync disabled unless you are comfortable exporting consolidated memory to that vault, review MEMORY.md and vault diffs regularly, and do not use this around secrets or sensitive client data unless you add redaction and approval controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The prompt directs the isolated cron agent to inspect main-agent session transcripts under ~/.openclaw/agents/main/sessions, which expands data access beyond the declared memory sources and crosses agent-boundary/state-boundary assumptions. Even though it tries to limit reads to grep-matched lines, it still pulls potentially sensitive conversation content into a background process and can persist extracted details into MEMORY.md or the Obsidian vault.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The prompt performs broad filesystem discovery across ~/.openclaw/workspace to locate task_plan.md files, which can enumerate unrelated projects and pull metadata from directories not intended for memory consolidation. This weakens least-privilege boundaries and increases the chance of collecting and propagating sensitive or irrelevant project information into persistent memory and external notes.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The manual trigger phrases are broad natural-language commands like 'Dream now' and 'Sync to obsidian', which can plausibly appear in ordinary conversation or be induced by untrusted content. That creates a prompt/trigger-injection risk where the skill may execute memory consolidation or external sync without an explicit, scoped user confirmation.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill description and quick-start framing do not clearly warn that the process reads daily logs, learnings, and session transcripts to build long-term memory. Users may enable or invoke it without informed consent, increasing the risk of silently consolidating sensitive information beyond the original interaction context.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The Obsidian sync feature writes consolidated knowledge to an external vault path, potentially outside the workspace, but the documentation does not present this as a prominent safety warning. That can lead to unintentional propagation of sensitive session-derived data into external markdown notes, backups, or sync services.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The architecture explicitly treats session transcripts as a source of extractable 'high-signal' entities and even lists API keys as items worth tracking. In a memory-consolidation skill, this creates a real secret-handling risk: sensitive values may be copied from transient transcripts into durable memory stores, indexed, and possibly propagated further, increasing exposure far beyond the original context.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The design includes syncing consolidated memory into an external Obsidian vault, but the document does not describe consent, scoping, filtering, or safeguards for sensitive content before propagation. Because this skill already consolidates data from logs, transcripts, and learnings, external sync increases the blast radius of any private, incorrect, or secret data that enters memory.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The consolidation phase instructs the agent to modify MEMORY.md, update learning files, remove stale entries, and alter the Active Plans section without any user-visible confirmation or audit checkpoint. Because this runs autonomously and rewrites durable memory, mistaken extraction, prompt drift, or adversarial content in source files can silently corrupt long-term state.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The Obsidian sync section authorizes creation and updates of notes in an external vault path, including plan dashboards and knowledge notes, without an explicit warning or approval step for cross-system writes. This can propagate sensitive workspace data into another repository, broaden data exposure, and make accidental or unauthorized persistence harder to detect and undo.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The core skill behavior is to collect information from logs, transcripts, and learnings into long-term memory, which is a real data-retention and privacy risk even if it is the stated purpose of the skill. Consolidating user/session data into durable memory expands exposure, especially when the source material may contain secrets, personal data, or context that should remain ephemeral.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The gather phase explicitly instructs mining session transcripts for corrections, decisions, proper nouns, and preferences, all of which can include sensitive personal, organizational, or proprietary information. Persisting that extracted data for later reuse creates a durable privacy and confidentiality risk that may exceed user expectations for transient conversations.

Ssd 3

High

Confidence: 98% confidence
Finding: The sync phase exports consolidated memory to an external Obsidian vault, creating a straightforward exfiltration path from internal logs/transcripts into another storage system. Because the data is first normalized into durable notes, any sensitive content captured earlier becomes easier to replicate, search, sync, and retain outside its original security boundary.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal