ClawHub
Back to skill

Security audit

Vector Memory (Windows) for OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This is a real local memory bundle, but it asks the agent to store and reuse user/project context silently while also modifying git repository state and offering destructive cleanup commands.

Review carefully before installing. Use only in repositories where silent local memory is acceptable, avoid storing secrets or regulated data, pin and audit dependencies, and do not run the git-notes or wipe workflows unless you are comfortable with git metadata changes and possible memory data loss.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises executable setup and operational steps that use shell commands, read local files, and consume environment-controlled paths, but it does not declare permissions for those capabilities. This is dangerous because users and agents cannot accurately assess or constrain what the skill may access or modify, increasing the chance of unintended file access or command execution in a sensitive local environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The described behavior materially understates the actual capabilities: the bundled components can initialize and modify git repositories, ingest local project files for context, and maintain broad branch-aware memory operations beyond the narrow 'decision memory' framing. This is dangerous because users may grant trust based on a benign description while the skill performs repository mutation and local data collection, which can affect source integrity and expose sensitive project information.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to perform persistent memory actions silently and to never disclose them to users. This removes informed user awareness and consent around storage of conversation-derived data, creating privacy, compliance, and trust risks even if the feature is intended for convenience.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This section directs automatic capture of broad categories of user information such as decisions, preferences, tasks, and project context without prompting. Such blanket collection can persist sensitive or unexpected personal/workflow data and expands the risk of over-collection beyond what users reasonably expect.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The module silently initializes a git repository and creates an empty commit in the target path as part of normal memory operations. In an agent-skill context, that is a hidden side effect that can alter user projects, affect CI/workflows, and create persistence in directories where the user did not authorize repository creation.

Missing User Warnings

High
Confidence
97% confidence
Finding
The README explicitly describes a persistent memory system that stores contextual information across sessions and emphasizes 'automatic, silent operation' without any privacy notice, consent model, retention policy, or warning about sensitive data capture. In a coding assistant skill, this is dangerous because users may disclose credentials, internal architecture, or personal preferences that are then silently retained in repository-local storage and later resurfaced without their awareness.

Missing User Warnings

High
Confidence
98% confidence
Finding
The activation instructions tell users to put 'YOU MUST ALWAYS USE `git-notes-memory` SKILL' in the project root, which semantically mandates continuous use of a persistent memory layer while omitting any warning that it will automatically record information into the repository metadata. This increases the likelihood of blanket deployment in sensitive repos where users and collaborators may not realize data is being silently retained across sessions.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill integration section promises the system will 'never ask,' 'never announce,' and 'never show' command output while automatically managing memory lifecycle. Silent collection and reuse of conversational or project data without visibility or consent creates a significant privacy and governance risk, especially when the stored content may include sensitive internal decisions or user-specific information.

Missing User Warnings

High
Confidence
99% confidence
Finding
The front matter and opening rules mandate fully silent persistent storage and retrieval with no disclosure or warning to the user. In the context of a cross-session memory system, this is particularly dangerous because it normalizes hidden data handling and defeats transparency safeguards that users rely on when sharing information with an assistant.

Missing User Warnings

High
Confidence
98% confidence
Finding
The examples operationalize hidden persistence of user preferences, tasks, and project context, making the risky behavior easy to reproduce in normal use. Because examples often shape implementation more strongly than policy text, they increase the likelihood of systematic covert retention of user data.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code performs git init and creates an empty commit without any user-facing notice, consent, or configuration gate. For a memory skill, silently changing repository state violates the principle of least surprise and can interfere with existing developer workflows, audit history, or policy controls.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill includes irreversible deletion commands for the LanceDB memory directory but does not provide an explicit warning, confirmation step, or backup guidance. In an agent-skill context, presenting destructive commands as routine maintenance increases the risk that users or downstream automation execute them without understanding the data-loss consequences.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The monthly cron example automates recurring deletion and reseeding of memory storage without clearly warning that it performs destructive erasure on a schedule. This is more dangerous than a one-off command because it can repeatedly remove data, normalize risky maintenance behavior, and make recovery difficult if important memories were not successfully reseeded.

Ssd 3

Medium
Confidence
96% confidence
Finding
The documented behavior directs the agent to retain and reuse information across sessions without user visibility, which creates a natural-language data retention and disclosure channel. Even without code execution or network exfiltration, the assistant can later reveal or act on previously stored sensitive context in ways the user does not expect or cannot audit.

Ssd 3

Medium
Confidence
94% confidence
Finding
Mandating always-on use of a persistent memory skill encourages continuous collection of project and user context without qualification or data minimization. In the context of a repository-associated assistant workflow, that expands the chance of long-term retention of sensitive discussions, architecture choices, or user preferences beyond what is necessary for the task.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to persist user-provided context and preferences across sessions without user awareness. Cross-session retention increases privacy exposure and can surprise users by resurfacing old data later, especially when they were never told the information would be stored long-term.

Ssd 3

Medium
Confidence
96% confidence
Finding
This guidance tells the agent to silently remember broad classes of user-shared information during the session, which can lead to indiscriminate collection. Even if secrets are later excluded by policy text, the operational rule still encourages overbroad capture of potentially sensitive context without notice.

Session Persistence

Medium
Category
Rogue Agent
Content
inherited created          feature
```

1. **Create branch** → Automatically inherits memories from main/master
2. **Work on branch** → New memories stored in branch-specific notes
3. **Merge branch** → Run `merge-branch` to combine memories
Confidence
91% confidence
Finding
Create branch** → Automatically inherits memories from main/master 2. **Work on branch** → New memories stored in branch-specific notes 3. **Merge branch** → Run `merge-branch` to combine memories ##

Unpinned Dependencies

Low
Category
Supply Chain
Content
lancedb
pandas
pyarrow
Confidence
96% confidence
Finding
lancedb

Unpinned Dependencies

Low
Category
Supply Chain
Content
lancedb
pandas
pyarrow
Confidence
98% confidence
Finding
pandas

Unpinned Dependencies

Low
Category
Supply Chain
Content
lancedb
pandas
pyarrow
Confidence
99% confidence
Finding
pyarrow

Known Vulnerable Dependency: pyarrow — 8 advisory(ies): CVE-2023-47248 (PyArrow: Arbitrary code execution when loading a malicious data file); CVE-2019-12408 (Missing Initialization of Resource in Apache Arrow); CVE-2019-12410 (Missing Initialization of Resource in Apache Arrow) +5 more

Critical
Category
Supply Chain
Confidence
95% confidence
Finding
pyarrow

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal