ClawHub
Back to skill

Security audit

Rookie Memory

Security checks across malware telemetry and agentic risk

Overview

This memory skill mostly matches its purpose, but it under-discloses sending remembered conversation text to an external embedding API using locally discovered credentials.

Install only if you trust the publisher and are comfortable with conversation memory being saved locally and sent to the configured BigModel/Zhipu embedding service. Use a dedicated low-scope API key, avoid storing secrets or regulated data, review the memory directory regularly, and run cleanup in dry-run mode before deleting records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Tainted flow: 'url' from os.environ.get (line 60, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
}
    
    try:
        response = requests.post(url, headers=headers, json=data, timeout=30)
        response.raise_for_status()
        result = response.json()
        if 'data' in result and len(result['data']) > 0:
Confidence
96% confidence
Finding
response = requests.post(url, headers=headers, json=data, timeout=30)

Tainted flow: 'log_file' from os.environ.get (line 992, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
log_entry += "\n".join([f"  • {m.get('content', '')[:100]}..." for m in short_memories[-5:]])
    log_entry += "\n"
    
    with open(log_file, 'a', encoding='utf-8') as f:
        f.write(log_entry)
    
    print(f"   ✓ 已生成日志: {log_file}")
Confidence
88% confidence
Finding
with open(log_file, 'a', encoding='utf-8') as f:

Tainted flow: 'l1_decisions_file' from os.environ.get (line 925, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
new_entry = f"\n\n## {date_str} (手动提取)\n\n"
    new_entry += "\n".join(decisions_found)
    
    with open(l1_decisions_file, 'a', encoding='utf-8') as f:
        f.write(new_entry)
    
    print(f"✓ 已更新 key-decisions.md (新增 {len(decisions_found)} 条)")
Confidence
84% confidence
Finding
with open(l1_decisions_file, 'a', encoding='utf-8') as f:

Tainted flow: 'l1_decisions_file' from os.environ.get (line 925, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
new_entry = f"\n\n## {date_str} (自动保存)\n\n"
        new_entry += "\n".join(decisions_found)
        
        with open(l1_decisions_file, 'a', encoding='utf-8') as f:
            f.write(new_entry)
        
        print(f"   ✓ 已更新 key-decisions.md (新增 {len(decisions_found)} 条)")
Confidence
85% confidence
Finding
with open(l1_decisions_file, 'a', encoding='utf-8') as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill advertises commands that read and write workspace files, use a Python environment with additional dependencies, and rely on ChromaDB/embedding functionality, yet no permissions are declared. That creates a transparency and policy-enforcement gap: an agent or user may invoke a skill with filesystem and network effects without informed consent or sandbox restrictions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented behavior omits materially sensitive actions: reading credentials from /root/.openclaw/openclaw.json, sending memory/query content to an external embedding API, and generating derivative files such as decision logs and daily logs. This mismatch is dangerous because users may believe the skill is local-only memory management while it actually exfiltrates conversation-derived content and expands persistence surface area.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill reads a broader OpenClaw configuration file to harvest API credentials instead of only using an explicitly supplied key for this tool. That expands trust boundaries and grants the script access to secrets outside its immediate purpose, which is dangerous if the skill is run in privileged agent environments.

Description-Behavior Mismatch

Low
Confidence
82% confidence
Finding
The daily-log feature stores derived conversation excerpts on disk, which is broader data retention than a user may expect from a memory helper. In the context of an AI agent, logs can accumulate sensitive prompts, outputs, and workflow details, raising confidentiality and compliance concerns.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes bootstrap/autosave workflows that automatically persist conversation content, preferences, and summaries, but it does not present a clear, up-front warning to users that their content will be stored and logged. This can lead to inadvertent retention of sensitive data across sessions and unexpected privacy exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The cleanup feature describes deletion of stale and duplicate memories, including a non-dry-run mode, without a prominent caution that deletion may be irreversible and could remove useful or incorrectly classified memories. In a memory system, silent destructive operations can cause integrity loss and denial of service against the agent's retained knowledge.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly demonstrates storing personally identifying information and user preferences in the memory system, but it provides no consent, retention, minimization, or privacy guidance. In an AI memory skill, this can normalize persistent collection of sensitive user data and lead to privacy violations, over-retention, or noncompliant handling of personal information.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The integration example sends raw user_message and user_query into the memory subsystem with no warning about filtering, consent, or sensitive-data handling. In context, this makes unsafe-by-default integration likely, causing developers to persist arbitrary user input including secrets, personal data, or regulated content.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
During autosave and semantic operations, raw conversation content is transmitted to an external embedding service without an explicit warning or confirmation. Because this skill is designed to collect and retain memory, the transmitted data is especially likely to contain sensitive user, system, or operational information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script silently pulls API credentials from environment variables and then falls back to a local application config, without clear user disclosure. In an agent setting, this can unexpectedly widen access to secrets and make the skill operate with credentials the user did not intend to expose to it.

Ssd 3

Medium
Confidence
89% confidence
Finding
The skill is explicitly designed to retain user-provided identity, preferences, decisions, and conversation context across sessions, including logs and long-term retrieval. In context, persistence is the core function, but retaining stable personal or sensitive facts without minimization, consent, or classification controls increases privacy risk and expands the blast radius if the workspace or vector store is accessed by others.

Ssd 3

Medium
Confidence
98% confidence
Finding
The autosave workflow persists raw conversation content into summaries, vector storage, decision files, and logs without sensitivity filtering. In a memory-management skill, this materially increases risk because the whole purpose is to accumulate and reuse prior conversation data, which may include secrets, personal data, or confidential instructions.

Ssd 3

Medium
Confidence
91% confidence
Finding
Bootstrap and display functions print previously stored memory contents directly to stdout, including excerpts from persistent files and conversation history. This increases exposure of captured sensitive data to terminals, logs, shared sessions, or downstream tooling, especially in multi-user or recorded agent environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal