Back to skill

Security audit

Project Trident

Security checks across malware telemetry and agentic risk

Overview

Project Trident is a coherent persistent-memory skill, but it can continuously store, structure, and optionally upload broad conversation and workspace data, so it needs careful review before use.

Install only if you explicitly want long-lived agent memory. Before enabling cron routing, semantic indexing, cloud models, Git backup, or VPS snapshots, decide what data may be remembered, exclude secrets and sensitive personal/business data, use local models or private/encrypted backups for sensitive work, and confirm you know how to stop the cron jobs and inspect, edit, delete, or purge stored memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (25)

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The document states that Layer 0.5 has no external network requirements, but elsewhere recommends cloud models, Git push to remote hosting, and optional VPS API snapshot calls as part of the architecture. Contradictory security claims can cause operators to deploy the skill under false assumptions, weakening network isolation controls and increasing the chance that sensitive memory is transmitted externally.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The guide instructs users to initialize a Git repository and configure a remote, then automate daily pushes of workspace memory to GitHub. That adds outbound data exfiltration capability beyond local persistence and can expose sensitive memory contents if the repository is misconfigured, shared, or compromised.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README strongly promotes persistent capture of agent conversations and state but does not clearly warn that this memory may contain sensitive personal, operational, or secret data. In a memory skill, omission of explicit privacy and retention guidance materially increases the risk that users will store confidential data indefinitely and sync it elsewhere unintentionally.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The backup flow presents GitHub/GitLab/Gitea backup as a normal feature without explicitly warning that memory contents may be transmitted to third-party remote services. Because the stored memory includes conversation-derived data, this can lead to accidental disclosure beyond the local system and expands the trust boundary significantly.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The WAL triggers are broad enough to match ordinary conversation, including common facts, preferences, dates, numbers, and corrections. In a memory skill whose core behavior is persistent storage, ambiguous triggers increase the likelihood of over-collection and silent retention of incidental or sensitive user content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill heavily emphasizes persistent recording across SQLite, markdown files, and backups, but does not provide a prominent up-front warning that user conversations may be retained and versioned. That omission undermines informed consent and materially increases privacy risk, especially because the design normalizes long-term storage and replication.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document recommends scheduled cloud-model configurations for Anthropic/OpenRouter without clearly warning that routine Layer 0.5 runs may transmit agent memory, conversation-derived data, and other potentially sensitive content to an external provider. In a persistence/memory skill, that omission materially increases privacy and data-governance risk because users may deploy continuous background sync assuming only local storage costs/behavior are relevant.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Gemini section promotes a budget-friendly external API option but omits a warning that use of this configuration sends data to Google's service. Because this skill centers on persistent memory and continuous routing, users may unknowingly expose sensitive agent context or stored memory artifacts to a third party during recurring runs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The embedding script recursively reads Markdown files from the workspace and sends their contents to the OpenAI embeddings API, which may include private identity, memory, project, or reflection data. Because this occurs without an explicit warning, consent step, minimization, or exclusion rules, users may unknowingly transmit sensitive local data to third-party services.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide includes privileged, system-modifying commands such as package upgrades and repository bootstrap steps without a clear warning that they alter the host system. In documentation for an agent skill, this is risky because users may paste commands directly into production VPS environments without understanding persistence, compatibility, or rollback implications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions direct the user to create and force-create directories and files inside the workspace, including `MEMORY.md` and `SESSION-STATE.md`, without any warning that these actions modify persistent local state and may overwrite existing content. In a skill centered on persistent memory, this increases the chance of unintended data clobbering, privacy exposure, or durable changes the user did not fully consent to.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file instructs users to set up a recurring cron job that continuously reads prompts and routes signals from captured conversations, but it does not clearly warn about ongoing collection, retention, and processing of potentially sensitive user or agent data. Because this is automated and persistent, users may enable surveillance-like behavior without understanding the privacy and retention consequences.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The template explicitly instructs the agent to write to persistent memory files but provides no requirement for user consent, preview, or warning before modifying long-lived data. This is dangerous because it can silently store sensitive or incorrect information across sessions, creating privacy and integrity risks that persist beyond the current interaction.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to read daily logs, config, and state files that may contain sensitive user or system information, yet it does not warn about that access or constrain what may be inspected. This broad, silent ingestion increases the chance of over-collection, privacy violations, and unintended exposure of secrets or personal data.

Ssd 3

Medium
Confidence
94% confidence
Finding
The design explicitly encourages capturing every message and preserving it across sessions, which creates a built-in data retention and leakage risk for natural-language content. Even without malicious code, a system that stores all interactions can accumulate secrets, personal data, and sensitive operational details that later become exposed through local compromise, backups, or unintended reuse.

Ssd 3

Medium
Confidence
95% confidence
Finding
The workflow instructs the agent to write critical facts before responding and route raw logs into persistent memory buckets, which can semantically normalize storing sensitive user-provided information. In context, this is more dangerous because the skill is specifically intended to create durable cross-session memory, making accidental retention systematic rather than incidental.

Ssd 3

Medium
Confidence
93% confidence
Finding
The documented structure combines daily logs, identity/self files, long-term buckets, and Git-based backup, implying broad and long-lived exposure of conversation-derived data. This layering increases risk because sensitive data can propagate from raw logs into multiple persistent stores and backups, making later deletion or containment difficult.

Ssd 3

Medium
Confidence
95% confidence
Finding
The architecture is designed to retain user-provided content in durable stores and to organize it for long-term recall, including identity, projects, facts, and lessons, without meaningful minimization safeguards described here. In practice this can capture sensitive personal or operational data and preserve it in plain-text formats that are easy to browse, copy, or accidentally expose.

Ssd 3

Medium
Confidence
97% confidence
Finding
The WAL protocol directs the system to record user facts, preferences, numbers, dates, URLs, and corrections before responding. This is dangerous because it prioritizes persistence over consent and context, making it easy to capture sensitive or regulated information reflexively and propagate it into later layers and backups.

Ssd 3

High
Confidence
98% confidence
Finding
The daily backup flow explicitly instructs pushing accumulated memory to remote Git hosting and optionally calling a VPS snapshot API. Because the same memory system is intended to store user facts, decisions, identity-related data, and operational notes, this materially increases exfiltration and over-retention risk by replicating sensitive content to external services.

Ssd 3

Medium
Confidence
97% confidence
Finding
The memory bucket design encourages persistent storage of personal preferences, identity attributes, opinions, project state, and other user-provided details in long-term files. Persisting this broad profile data without tight consent and minimization controls creates a meaningful privacy risk and can enable profiling, accidental disclosure, or misuse across future sessions.

Ssd 3

High
Confidence
98% confidence
Finding
The high-priority rules specifically instruct capture of named people, companies, places, relationships, and location details from user messages into persistent memory. That makes the skill more dangerous because it prioritizes collecting personally identifiable and relational information, increasing privacy harm if the memory store is exposed, reused inappropriately, or poisoned with incorrect details.

Ssd 3

High
Confidence
98% confidence
Finding
The execution flow requires line-by-line scanning of daily logs and extraction of corrections, preferences, decisions, facts, and entities for storage into persistent files. This systematic harvesting of conversational data makes accidental collection of sensitive information likely and can preserve private or mistaken content in durable memory without contextual safeguards.

Session Persistence

Medium
Category
Rogue Agent
Content
---

### Step 2: Create Layer 1 Directory Structure

**Linux / Mac:**
```bash
Confidence
88% confidence
Finding
Create Layer 1 Directory Structure **Linux / Mac:** ```bash cd ~/.openclaw/workspace mkdir -p memory/{daily,semantic,self,lessons,projects,reflections,layer0} touch MEMORY.md SESSION-STATE.md ``` **

Session Persistence

Medium
Category
Rogue Agent
Content
### Routing Quality Rules

**Rule 1: Compress over accumulate**
- Write only high-signal facts (1-2 sentences each)
- Avoid verbose explanations; assume reader is smart
- If already in memory, reference existing entry instead of duplicating
Confidence
84% confidence
Finding
Write only high-signal facts (1-2 sentences each) - Avoid verbose explanations; assume reader is smart - If already in memory, reference existing entry instead of duplicating **Rule 2: Categorize pre

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.