memory-indexer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real memory-indexing skill, but it can persistently change OpenClaw behavior and mutate broad local memory/session data without enough containment.

Install only after reviewing the scripts. Prefer manual setup, delete bundled backup_* directories, back up your OpenClaw memory/session files before enabling compaction, avoid update.sh auto-update behavior unless you trust the repository, and use local embeddings unless you explicitly accept sending memory text to a remote provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (42)

Tainted flow: 'req' from os.environ.get (line 107, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: headers=headers, method="POST" ) with urllib.request.urlopen(req, timeout=30) as response: result = json.loads(response.read().decode("utf-8")) if "data" in result and len(result["data"]) > 0: return result["data"][0]["embedding"]
Confidence: 96% confidence
Finding: with urllib.request.urlopen(req, timeout=30) as response:

Tainted flow: 'CONFIG_FILE' from os.getenv (line 44, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: if config is None: config = DEFAULT_CONFIG.copy() with open(CONFIG_FILE, "w", encoding="utf-8") as f: json.dump(config, f, indent=2, ensure_ascii=False)
Confidence: 91% confidence
Finding: with open(CONFIG_FILE, "w", encoding="utf-8") as f:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill declares no permissions while the documented behavior and installation steps imply file read/write, shell execution, environment access, and network use. This is dangerous because users and hosting platforms cannot make an informed trust decision when privileged capabilities are hidden or omitted, especially for a tool that persists and modifies memory-related files.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The skill is presented as a memory indexing utility, but the broader behavior includes modifying core workspace files, installing hooks, scheduling cron jobs, running update logic, accessing remote/local embedding services, and restoring snapshots. That gap is dangerous because it obscures persistence, automation, and system-modifying behavior that materially increases the attack surface and can surprise users into granting trust far beyond simple indexing.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The changelog shows the skill expanding beyond memory indexing into modifying OpenClaw configuration, installing/updating hooks, and changing startup behavior. That is a scope expansion with security significance because it enables persistence and behavior changes outside the declared purpose, reducing user visibility and increasing the blast radius of installation or update actions.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: Documented proactive triggers and new-conversation auto-search behavior mean the skill may access memory implicitly based on user phrasing rather than an explicit command. Hidden or surprising data access is risky in a memory tool because users may reveal historical or sensitive information without realizing the skill is automatically querying stored data.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Auto-installing and auto-updating external OpenClaw config and hook files is not necessary for basic memory indexing and introduces privileged side effects in user environment files. This creates a persistence mechanism and can silently alter agent behavior over time, especially during updates, which is dangerous even if intended as convenience rather than overt malice.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: This backup index goes far beyond a minimal keyword map and enumerates large amounts of conversation metadata, session keys, backup filenames, cron activity, workflow hints, and repeated references to untrusted conversation content. Even without full message bodies, such an index materially increases discoverability of sensitive data and makes later extraction, correlation, and targeting much easier for any actor who can read the file.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The module supports sending memory content to external embedding services, which materially changes the trust boundary for a memory-indexing tool handling potentially sensitive notes. Even if remote embeddings are a legitimate feature, the absence of strong disclosure and opt-in makes this a real privacy/security issue in context.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The installer appends and injects policy text into AGENTS.md, MEMORY.md, and HEARTBEAT.md, altering how the host agent behaves beyond merely installing a keyword indexing tool. This creates a persistent trust-boundary violation because the skill rewrites operator guidance and workflow rules, which can steer future agent behavior without explicit per-change consent.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The injected rules are framed as mandatory behavior, causing future sessions and heartbeat flows to call this skill first and automatically. In an agent environment, persistent behavioral hijacking is dangerous because it can bias retrieval, force unnecessary execution paths, and establish long-lived control over downstream actions unrelated to the user’s immediate intent.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The script offers to install a cron job that executes the skill daily, creating persistence in the host environment. Although user-prompted, scheduled execution is still a meaningful persistence mechanism that can consume resources, touch data regularly, and continue operating after the installer is forgotten.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The script claims to compact files to a configurable maximum size, but the implementation keeps a fixed number of lines and only appends a truncation marker based on size. A large first 150 lines can easily exceed the requested limit, causing oversized memory files to persist and undermining the safety and predictability of the compaction process.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The configuration exposes a path helper for agent session directories, which expands the skill's reach beyond memory indexing into general access to agent session data. In this skill context, session data may contain sensitive prompts, outputs, or credentials, so making that location configurable and easily accessible increases the risk of unintended collection or exfiltration.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The script advertises session backup to a backup directory, but never writes a backup copy there and later truncates the original session files in place. This creates a misleading safety guarantee and can cause irreversible data loss if indexing fails, compaction is buggy, or the retained tail omits important context.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The implementation accepts a --backup-dir option and documents backup behavior, but the directory is never used. In a tool handling conversation history, this mismatch is security-relevant because operators may rely on nonexistent recovery protections while the script overwrites originals.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The update script goes far beyond memory indexing by self-updating from Git, installing dependencies, modifying OpenClaw workspace state, copying hooks, and running synchronization logic. Even if intended as a convenience updater, this creates a broad code-execution and environment-modification surface that is disproportionate to the stated skill purpose and dangerous if the repository, branch, or local scripts are tampered with.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: This script writes into global OpenClaw workspace and hook directories under the user's home directory, creating symlinks and copying hook content outside the skill's own directory. For a memory-indexing tool, this is excessive privilege and can persistently alter agent behavior or execution flow in ways the user may not expect.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script performs `git pull` from a remote and then executes repository code via `migrate.sh` and sourced `install.sh`. This is a classic trust-chain problem: any compromise of the remote, branch, or local repository state can immediately become arbitrary code execution in the user's environment.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: Automatic search on historical-context mentions can trigger implicit access to stored memories without a user warning. In a memory system, this undermines user expectations around when personal or prior-session data is consulted, potentially exposing sensitive context inappropriately in routine conversations.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Automatic session backup and compaction involve copying, retaining, and modifying user data, yet the changelog does not indicate explicit notice or consent. This is dangerous because it can change source files, expand retention of sensitive conversations, and make users unaware that backups or compressed derivatives are being created automatically.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Automatic hook installation into the user's home directory changes persistent local behavior and can run in future sessions, but the changelog does not indicate prominent warning or consent. Silent installation into home-directory hook paths is risky because users may not realize the skill has established a durable integration affecting later interactions.

Missing User Warnings

High

Confidence: 90% confidence
Finding: The README advertises automatic backup and compaction of session and memory files, including heartbeat-driven behavior, without a prominent warning that user data and memory files may be modified automatically. In an agent skill context, silent persistence and file rewriting can expose sensitive conversation history, alter records unexpectedly, and create privacy and integrity risks if enabled by default.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The new-conversation hook automatically searches prior memory at chat start, but the README does not provide a privacy warning or consent model for this behavior. In a memory tool for AI agents, automatic recall on session start can surface sensitive historical data unexpectedly and broaden access to personal or project information beyond user expectations.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README advertises automatic session backup, compaction, and memory indexing of conversation data, but it does not prominently warn users that potentially sensitive chat content will be stored and transformed persistently. In an agent environment, this can lead to unintentional retention of secrets, personal data, or proprietary information beyond the user’s expectations, increasing privacy and data handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal