Security audit

Personal Memory Layer

Security checks across malware telemetry and agentic risk

Overview

This skill is designed to remember the user over time, but it automatically builds persistent local profiles from conversations without clear opt-in, limits, or retention rules.

Install only if you intentionally want OpenClaw to keep a long-term personal profile. Before using it, set clear boundaries for what must never be remembered, require confirmation for sensitive or inferred facts, periodically inspect .memory-layer and MEMORY.md, and delete or edit memories that are stale, wrong, or too private.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The skill describes automatic background review and extraction of personal data after interactions without a strong, explicit per-use consent boundary or clear scoping limits. For a memory system handling sensitive behavioral and contextual data, broad passive activation materially increases the risk of over-collection, retention of sensitive information, and user surprise.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The phrase that the skill 'initializes automatically when first used' is ambiguous and does not clearly define what constitutes use or whether initialization includes directory creation, profiling, or persistence. Ambiguous startup behavior is dangerous in a privacy-sensitive skill because it can cause memory capture before informed consent or before the user understands the scope of storage.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The top-level description emphasizes personalization benefits but does not prominently warn that the skill persistently stores personal preferences, behavior patterns, life context, and profile summaries. This is dangerous because users and downstream agents may enable or invoke the skill without recognizing that it performs long-term collection and synthesis of potentially sensitive personal data.

Ssd 3

Medium

Confidence: 95% confidence
Finding: These instructions direct the agent to continuously extract and store broad classes of user information from conversations into structured records. Even if framed as personalization, persistent collection of preferences, patterns, context clues, and facts creates a user profile that could expose sensitive attributes, enable manipulation, or become harmful if accessed by unauthorized parties.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The skill explicitly instructs creation of persistent insight stores and long-term profile documents covering preferences, patterns, life context, relationships, and biographical facts. Building synthesized personal profiles increases risk beyond simple logging because aggregation and curation make sensitive information more accessible, reusable, and potentially actionable for misuse.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The memory triggers tell the agent to retain emotional reactions, ongoing life context, corrections, and goals, which are precisely the kinds of signals that can reveal vulnerabilities, mental state, priorities, and sensitive personal circumstances. In context, this makes the skill more dangerous because it is designed for persistent longitudinal profiling, not a one-off task-specific memory.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.