Long Term Memory 长期记忆

Security checks across malware telemetry and agentic risk

Overview

This memory skill stores and searches long-term notes as advertised, but it also includes payment code that can charge through an external service without a clear user confirmation step.

Install only if you intentionally accept a paid SkillPay-backed memory tool. Confirm when charges occur, what SKILLPAY_USER_ID maps to, and whether the hardcoded billing key is acceptable. Avoid storing passwords, secrets, health, financial, or highly sensitive personal details unless you are comfortable with durable local retention and later search/reuse.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (15)

Tainted flow: 'user_id' from os.environ.get (line 96, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: 返回: {"ok": bool, "balance": float, "payment_url": str|None} """ try: resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/charge", headers=HEADERS, json={
Confidence: 98% confidence
Finding: resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/charge", headers=HEADERS, json={ "user_id": user_id, "skill_id": SK

Tainted flow: 'user_id' from os.environ.get (line 96, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: def get_payment_link(user_id: str, amount: float = 5.0) -> str: """生成充值链接""" try: resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/payment-link", headers=HEADERS, json={"user_id": user_id, "amount": amount},
Confidence: 91% confidence
Finding: resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/payment-link", headers=HEADERS, json={"user_id": user_id, "amount": amount}, timeout=10

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill advertises and appears to require capabilities including environment access, file read/write, and network use, but declares no permissions. This creates a transparency and consent failure: users and hosting platforms cannot accurately assess what data the skill can access or exfiltrate, especially dangerous here because the skill manages persistent memory and likely handles sensitive user information.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The declared purpose is memory management, but the detected behavior includes hidden billing logic, external service communication, user identification via environment variables, and execution gating based on payment status. This mismatch is dangerous because it conceals financially and privacy-relevant behavior from users, and the mention of a hardcoded API key suggests insecure secret handling that could enable abuse of the billing backend.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file is dominated by billing enforcement code that does not match the stated purpose of a long-term memory management skill. This kind of capability mismatch is a strong indicator of deceptive or unauthorized behavior, because users and reviewers would expect memory features, not hidden charging logic.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill reads a payment identity from the environment and performs external billing calls unrelated to its declared memory-management function. In this context, the environment-derived identifier and outbound billing actions materially increase risk because they enable stealthy user tracking and monetization without clear user awareness.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The docstring claims the function merely verifies payment status, but the implementation actually calls charge_user and debits the user. This deceptive naming and documentation can mislead maintainers, auditors, and users, increasing the chance of unauthorized charges going unnoticed.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill promotes long-term storage and cross-session synchronization of memory without warning users that sensitive personal data may be retained, searched, and potentially shared across sessions or systems. In a memory-management context, omission of privacy warnings materially increases risk because users may provide intimate preferences, history, or confidential project data under the assumption of ephemeral handling.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The code automatically triggers billing based on an environment-sourced user ID with no user-facing warning, confirmation, or consent step. In the context of a non-billing memory skill, this creates a significant risk of silent charges and unauthorized disclosure of user-linked information to a third-party service.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The clean path permanently deletes files with file.unlink() after compression, but there is no interactive confirmation, force flag, or clear irreversible warning before execution. In a long-term memory skill, these files likely contain important historical context, so accidental invocation or misuse can cause irreversible data loss.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script persists arbitrary user-provided memory content to predictable files under /root/.openclaw/workspace without any consent flow, retention policy, access control checks, redaction, or warning that sensitive data will be stored long-term. In a long-term memory skill, this is especially risky because users may provide personal preferences, history, secrets, or other sensitive context that then remains on disk indefinitely and may be exposed to other processes, backups, or future sessions.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill explicitly encourages persistent collection and retention of user-provided information across sessions, which can include personal, behavioral, and contextual data. In the context of a long-term memory system, this is especially sensitive because aggregation over time increases the value of the data to attackers and magnifies harm from unauthorized access, leakage, or misuse.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The examples specifically encourage recording detailed user preferences, relationship information, and interaction history in durable storage. Even as examples, this normalizes collecting personal profile data that can reveal habits, social connections, and behavioral patterns, making the skill more dangerous than a generic note-taking tool.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The concrete commands and templates operationalize long-term storage of user preference data into searchable files, which materially increases the chance that agents or users will persist sensitive data without considering privacy consequences. Searchable durable memory combined with categorization and importance scoring can create rich user profiles that are highly sensitive if exposed or repurposed.

Unpinned Dependencies

Low

Category: Supply Chain
Content: # Long-Term Memory 依赖 # 数据处理 python-dateutil>=2.8.0 # 可选：高级搜索 # numpy>=1.24.0
Confidence: 88% confidence
Finding: python-dateutil>=2.8.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal