Trident Plugin

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate memory plugin, but it needs Review because it can persist broad conversation history, run background processing, start downloaded database services, and send memory-derived data to optional external systems.

Review before installing in any sensitive workspace. Treat this as a long-term recorder for agent conversations: disable semantic recall, cloud endpoints, and Git backup unless you explicitly need them; avoid storing secrets; verify any downloaded binaries yourself; and confirm how to purge or relocate memory before enabling scheduled background routing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (22)

Context-Inappropriate Capability

High

Confidence: 93% confidence
Finding: Automatically downloading and then executing database binaries is a significant supply-chain and arbitrary-code-execution risk. Even if intended for convenience, fetching executables at runtime without strong provenance, signature verification, pinned hashes, and explicit user consent can allow compromise of the host running the plugin.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: Injecting retrieved memory into the system prompt changes the tool from passive storage into an active influence channel over model behavior. If stored memory contains sensitive, untrusted, or attacker-inserted content, this can lead to prompt injection, privacy leakage, or unsafe model steering across future sessions.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The configuration includes a Git remote for memory backups, which can exfiltrate highly sensitive agent/user memory to external infrastructure. Because the headline description does not foreground remote synchronization, operators may enable the skill without realizing persistent data can be pushed off-host.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide explicitly advertises 'capturing all conversation' and automatic long-term storage, but it does not provide a clear privacy notice, consent flow, retention policy, or guidance on handling secrets and sensitive data. In a memory plugin, this is a real security and privacy issue because users may unknowingly persist credentials, personal data, or proprietary information indefinitely.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The Semantic Recall section instructs users to export existing memory into embeddings and use external embedding services and optionally managed Qdrant, but it does not clearly warn that stored memory content may leave the host and be transmitted to third-party services. This creates a meaningful confidentiality risk for any sensitive conversations, documents, or credentials captured by the plugin.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README states that binaries are downloaded and started automatically on first run, but it does not clearly warn users that installation/init will make network requests, place executables on disk, and launch local services. In an agent plugin context, silent binary download and execution materially increases supply-chain and host-modification risk because users may treat setup as a harmless configuration step.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The quick start flow says `openclaw trident init` creates directory structure and downloads binaries, but the sequence does not present this as a security-relevant action requiring user awareness and consent. This is dangerous because users may execute initialization in sensitive environments without realizing it will fetch software and modify the system state.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README markets persistent memory and 'lossless capture' without a clear privacy or retention warning, despite describing storage of agent conversations and semantic recall. In a memory plugin, omission of retention boundaries and privacy guidance can lead operators to capture sensitive user, credential, or business data without informed consent or minimization controls.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The configuration example includes a Git remote for memory backups but does not clearly warn that conversation-derived memory may be pushed to an external repository. This creates a serious exfiltration and privacy risk because highly sensitive personal or organizational context could be replicated outside the local environment, potentially to public or misconfigured remotes.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation normalizes silent network retrieval and startup of executable components without a clear warning, which undermines safe operator consent. In practice this can lead to unexpected outbound connections and execution of unreviewed software in sensitive environments.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Promising lossless capture of every message without an accompanying privacy and retention warning creates a real risk of collecting credentials, personal data, regulated information, and other sensitive content indefinitely. The danger is amplified because this is a memory plugin whose core function is broad persistence across sessions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Documenting Git-based backup without clearly warning that memory contents may be pushed to a remote repository can expose confidential conversations, credentials, and personal data. The risk is substantial because users may treat backups as local safety features while the configuration actually supports off-host replication.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The schema exposes configuration for external model providers and cloud/vector database endpoints that may receive stored memory data, yet it lacks explicit privacy and data-transfer warnings at the point of configuration. In a memory plugin handling potentially sensitive agent context, this increases the risk of operators enabling third-party transmission without understanding the confidentiality impact.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The schema includes a destructive upgrade-time wipe flag that can irreversibly delete the entire memory directory, but it relies only on a warning string and provides no confirmation guardrail. In the context of a permanent-memory plugin, accidental activation could cause severe integrity and availability loss for stored agent history and recovery data.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The plugin enables persistent memory by default and describes disk-backed logging and long-term retention, but the manifest does not present any clear warning or consent mechanism about storing potentially sensitive agent context on disk. In an agent memory plugin, this can lead to unintentional retention of secrets, user data, or proprietary workspace content, especially when users assume memory is ephemeral.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The activation block uses type 'cron' with trigger 'environment', which is underspecified and could cause the plugin to run in broader contexts than intended. For a memory plugin with persistent file access, background routing, and network connectivity, ambiguous activation scope increases the risk of unintended autonomous execution and data processing.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The documentation promotes broad persistent retention and retrieval of user conversation content as a core feature, which naturally increases the chance that sensitive data will later be surfaced in prompts, search results, or recall operations. In an agent memory system, this is a real data leakage risk even without explicit malicious behavior because retrieval features make old secrets easier to redisclose.

Ssd 3

High

Confidence: 97% confidence
Finding: The README explicitly frames the product around capturing every message and preserving it indefinitely, which semantically enables storage of credentials, personal data, confidential strategy, and other sensitive inputs. In the context of an agent plugin designed for recall and context injection, indefinite retention substantially amplifies the blast radius of prompt leakage, compromise, or accidental disclosure.

Ssd 3

High

Confidence: 98% confidence
Finding: The architecture section says every message is captured and that nothing is ever truly lost, indicating indefinite retention of potentially sensitive user inputs. This is especially dangerous for a memory plugin because later search, semantic recall, backups, or compromise of the memory store can expose historical secrets that users reasonably expected to fade or be deleted.

Ssd 3

Medium

Confidence: 87% confidence
Finding: The skill is explicitly designed to retain and recall broad user-provided content across time, which creates a genuine confidentiality and minimization risk even absent malicious intent. A memory system is the exact context where over-collection and over-retention become more dangerous, not less, because the capability is central and persistent.

Ssd 3

Medium

Confidence: 89% confidence
Finding: Pre-turn semantic recall that resurfaces stored material into prompts increases the chance that stale, sensitive, or attacker-seeded content is re-exposed in unrelated contexts. This broad resurfacing behavior can leak private information and amplify prompt-injection risks over time.

Session Persistence

Medium

Category: Rogue Agent
Content: ### 3. Initialize Memory Tiers ```bash # Create directory structure + config openclaw trident init # Runs Layer 0.5 signal router (one-time bootstrap)
Confidence: 76% confidence
Finding: Create directory structure + config openclaw trident init # Runs Layer 0.5 signal router (one-time bootstrap) openclaw trident bootstrap ``` ### 4. Verify ```bash openclaw trident status # Output:

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal