Openclaw

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real cross-session memory plugin, but it automatically captures, stores, and reinjects conversation content with insufficient consent and scoping controls.

Review this carefully before installing. Only use it if you are comfortable with prior conversation content being summarized, stored locally, searched, and inserted into future prompts. Avoid using it in workspaces involving secrets, credentials, private customer data, legal or medical content, or unrelated projects unless you can disable auto-capture/auto-recall, control retention, and delete stored memories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (13)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README advertises automatic persistent memory for every conversation turn but does not clearly warn users that potentially sensitive prompts and model outputs will be stored on disk across sessions. This creates a real privacy and data-retention risk because users may enable the plugin without understanding that secrets, personal data, or proprietary content can be captured and persisted.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The README instructs users to enable both conversation access and prompt injection, which gives the plugin visibility into user conversations and the ability to inject recalled content into future prompts, but it does not explain the security implications. In an agent plugin context, this is dangerous because recalled content may contain sensitive data and prompt injection expands the plugin's influence over model behavior and downstream tool use.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation states that each turn is summarized and saved to daily markdown files but does not clearly warn that this creates persistent local records of conversation content. Even if storage is local, this can expose sensitive information to other local users, backups, sync tools, or later unintended disclosure.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The plugin automatically captures the last conversation turn on agent_end and persists a summary to disk without any explicit user consent, notice, or per-session opt-in. In a memory plugin, this behavior is functional, but it still creates a privacy/security risk because sensitive prompts, secrets, or proprietary data may be retained unexpectedly and later exposed through search or transcript retrieval.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The memory_transcript tool accepts a transcript_path parameter and returns past session transcript content with no validation that the path stays within an approved session directory or belongs to the current workspace/user context. That can expose historical conversations and, if the parser script trusts the path, may permit broader file disclosure beyond intended transcript files.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The plugin automatically summarizes and persists conversation turns to local memory files and reuses them later, but there is no explicit runtime notice or consent gate at the point of collection. This creates a privacy/security risk because users may unknowingly have sensitive prompts, secrets, internal code discussions, or personal data retained and resurfaced in future sessions.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The memory_transcript tool accepts a transcript path and returns past conversation contents without any visible authorization check, path restriction, or disclosure to the end user. In practice this can expose historical chats containing sensitive data to the model or operator, especially because transcript paths are embedded into stored memory anchors and can be retrieved indirectly from previous memory entries.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The installer silently grants the plugin two highly sensitive OpenClaw capabilities: conversation access and prompt injection. Those permissions materially increase the plugin's ability to read user data and influence agent behavior, and enabling them automatically without explicit informed consent violates the principle of least privilege.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The manifest description advertises broad automatic semantic memory behavior across sessions without clearly stating limits, exclusions, or consent boundaries. In a memory plugin, vague automatic activation language can lead users to enable persistent collection and retrieval of prior conversation content without understanding what data is stored or when it is used.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The manifest explicitly enables automatic cross-session capture and recall by default, but it does not warn users about privacy, retention, or third-party data handling implications. Because conversation summaries may contain sensitive information, silent persistence and later reinjection can expose personal, proprietary, or credential-adjacent data beyond the user's expectations.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The plugin stores summarized conversation turns and embeds anchors to raw transcript files, meaning user-supplied secrets, credentials, internal code, or personal data may be retained and made searchable across sessions. Because this happens automatically and summaries are generated from broad transcript slices, sensitive content can persist even when it was only briefly present in the conversation.

Ssd 3

Medium

Confidence: 91% confidence
Finding: Auto-recalling recent memories by prepending them to future sessions can leak prior private context into unrelated prompts, increasing the chance of unintended disclosure to the model, tools, logs, or downstream outputs. This is especially risky in multi-project or shared environments where past session content may not be relevant to the current task.

Ssd 3

Medium

Confidence: 96% confidence
Finding: This skill captures user/assistant content, stores summaries on disk, and injects recent memories into future agent context automatically. That behavior materially increases the chance of cross-session data leakage, where sensitive information from one conversation is surfaced in later prompts, tool outputs, or searches unrelated to the original disclosure.

VirusTotal

66/66 vendors flagged this plugin as clean.

View on VirusTotal