Back to skill

Security audit

Memoria Persistente para Agentes

Security checks across malware telemetry and agentic risk

Overview

This persistent-memory skill is not visibly malicious, but it can store personal and session history broadly without clear consent, review, deletion, or workspace-boundary controls.

Install only if you intentionally want durable cross-session memory. Restrict it to a specific workspace, review or disable session-sync access to home/OpenClaw state, avoid storing health data, secrets, or credential references, use dry-run modes first, and establish a clear way to inspect, edit, and delete saved memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly instructs reading and writing memory files and running shell commands to initialize directories and invoke maintenance scripts, yet it declares no permissions. This creates a transparency and least-privilege problem: an agent or reviewer may underestimate that the skill can persist data, modify files, and execute local commands, increasing the chance of unauthorized data retention or workspace modification.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script performs networked repository analytics that are unrelated to the declared purpose of persistent memory for agents. In a skill package, unrelated telemetry or monitoring code expands the trust boundary and can normalize unexpected outbound access, which is risky because users and reviewers may not expect nonessential network activity.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file is materially unrelated to the advertised skill behavior and appears to monitor GitHub adoption metrics rather than implement memory persistence. This mismatch is dangerous in security review because extraneous code can conceal unnecessary capabilities, complicate auditing, and introduce side effects outside the user's expected consent model.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script searches for session data outside the provided workspace, including the user's home OpenClaw state and an environment-selected directory. That broadens the trust boundary and can cause one workspace or skill execution to ingest unrelated transcripts, leading to unintended cross-project data exposure and privacy leakage.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger conditions are broad—such as when the agent 'detects important information worth persisting' or during 'periodic memory maintenance during heartbeats'—which can cause the skill to activate without clear user intent. In a persistence skill, unintended invocation is particularly risky because it can silently collect, retain, and reorganize personal data across sessions.

Missing User Warnings

High
Confidence
95% confidence
Finding
This skill is specifically designed to retain user preferences, context, decisions, and session-derived information across sessions, but it does not prominently warn users that their data may be stored persistently. Without a clear notice and consent model, users may disclose sensitive personal information under the assumption it is ephemeral, leading to privacy violations and over-retention.

Missing User Warnings

High
Confidence
90% confidence
Finding
The skill encourages storing personal facts and explicitly includes examples like medications in 'Quick Reference' and a rule saying not to ask again if core memory already contains medication data. Health-related and similarly sensitive data require heightened handling, yet the skill offers no meaningful warning, consent flow, minimization policy, or safeguards beyond a narrow note about secrets in core.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The migration command `head -50 MEMORY.md > memory/core.md` will overwrite `memory/core.md` if it already exists, which can destroy previously accumulated persistent memory. In a memory-management skill, silent data loss is especially relevant because the feature's purpose is to preserve long-term context, so unsafe migration guidance directly undermines integrity and availability of that data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script is explicitly designed to read prior session transcripts and write a shared index for reuse by any session, yet there is no consent, notice, or access-control check in this flow. In a persistent-memory skill, that makes cross-session privacy leakage more dangerous because users may assume session boundaries that the tool silently collapses.

Ssd 3

Medium
Confidence
93% confidence
Finding
The file's stated purpose is to promote transcript-derived context into a shared index that any session can consult. That is a real data-isolation weakness: information revealed in one conversation can be surfaced in another without strong separation, creating privacy and confidentiality risks across users, channels, or projects.

Ssd 3

Medium
Confidence
95% confidence
Finding
This code iterates over all sessions, reads transcript files, extracts topics, and persists them into shared archival storage. Even though it stores summaries rather than full transcripts, the extracted topics can still reveal sensitive projects, services, organizations, or user activities, and the broad indexing behavior increases exposure surface.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.