MemSync Dual Memory System

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about being an always-on memory logger, but it needs Review because it persistently captures and indexes nearly all agent activity, including tool outputs, without built-in scope, redaction, or retention controls.

Install only if you intentionally want complete, always-on conversation memory. Keep local log and .mv2 files in a protected location, avoid using API mode for sensitive work unless you accept third-party processing, and review or delete stored logs regularly. Do not set MEMVID_BIN, MEMVID_PATH, or JSONL_LOG_PATH to locations you do not fully control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (25)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: cmd.extend(["--tag", tag]) # Call memvid put result = subprocess.run( cmd, capture_output=True, text=True,
Confidence: 87% confidence
Finding: result = subprocess.run( cmd, capture_output=True, text=True, timeout=30 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: """Create memory file for current month if it doesn't exist.""" if not os.path.exists(MEMVID_PATH): try: subprocess.run( [MEMVID_BIN, "create", MEMVID_PATH], capture_output=True, timeout=30
Confidence: 85% confidence
Finding: subprocess.run( [MEMVID_BIN, "create", MEMVID_PATH], capture_output=True, timeout=30 )

Tainted flow: 'cmd' from os.environ.get (line 200, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: cmd.extend(["--tag", tag]) # Call memvid put result = subprocess.run( cmd, capture_output=True, text=True,
Confidence: 92% confidence
Finding: result = subprocess.run( cmd, capture_output=True, text=True, timeout=30 )

Tainted flow: 'MEMVID_BIN' from os.environ.get (line 60, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: """Create memory file for current month if it doesn't exist.""" if not os.path.exists(MEMVID_PATH): try: subprocess.run( [MEMVID_BIN, "create", MEMVID_PATH], capture_output=True, timeout=30
Confidence: 93% confidence
Finding: subprocess.run( [MEMVID_BIN, "create", MEMVID_PATH], capture_output=True, timeout=30 )

Tainted flow: 'LOG_PATH' from os.environ.get (line 34, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: """Append conversation turn to JSONL file.""" try: os.makedirs(os.path.dirname(LOG_PATH), exist_ok=True) with open(LOG_PATH, "a", encoding="utf-8") as f: f.write(json.dumps(log_entry, ensure_ascii=False) + "\n") f.flush() return True
Confidence: 79% confidence
Finding: with open(LOG_PATH, "a", encoding="utf-8") as f:

Missing User Warnings

High

Confidence: 95% confidence
Finding: The README explicitly advertises logging of 'everything' including user messages, assistant responses, sub-agent conversations, tool executions, and system events, but provides no privacy notice, consent guidance, or discussion of sensitive-data handling. In an agent environment, this can capture secrets, personal data, credentials, and proprietary tool output, creating a significant privacy and compliance risk if users enable it without understanding the scope.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README documents an API-backed mode with an API key and paid service usage, but does not clearly warn that conversation content may be transmitted to an external provider when that mode is enabled. Users may reasonably assume memory remains local, so omission of data-flow disclosure can lead to unintentional sharing of sensitive conversations with a third party.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill explicitly states it captures every user message, assistant response, tool execution, sub-agent interaction, and system event, but provides no consent, minimization, redaction, or sensitive-data handling guidance. In an agent environment, this can silently persist secrets, personal data, tokens, file contents, and command outputs into searchable long-term storage, significantly increasing privacy and data-exposure risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The paid/API mode instructs users to set an API key for an external service but does not disclose that conversation history and related metadata may be transmitted off-box to a third party. That omission prevents informed consent and can lead to unintended external sharing of sensitive conversational content.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The manifest wires the same logging command both as a callable tool and as a message_out hook, indicating routine automatic capture of assistant outputs and likely conversation data with no visible scoping, consent, filtering, or sensitivity exclusions. In a memory/logging skill this broad collection is contextually expected, but it still creates a real privacy and data-governance risk because all conversations may be persisted to JSONL and a semantic-search index by default.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The logger persistently records conversation content to JSONL without any mechanism for notice, consent, redaction, or minimization. Because this code explicitly captures user, system, tool, and agent content, it creates a substantial privacy and secrets-retention risk rather than a mere documentation issue.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Conversation data is exported to an external Memvid process for searchable persistence, again with no consent or disclosure controls. Searchable secondary storage materially increases exposure because sensitive prompts, tool outputs, and system messages become easier to retrieve, aggregate, and misuse.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The skill is designed for durable retention and semantic retrieval of all conversations, agent chatter, tool results, and system events, which increases the blast radius of any accidental secret capture or later prompt-based retrieval. Because the stored data is searchable in natural language, sensitive information may be easier to rediscover and exfiltrate than in raw logs.

Ssd 3

High

Confidence: 96% confidence
Finding: The README explicitly documents a skill whose purpose is comprehensive, persistent capture of user messages, assistant replies, sub-agent conversations, tool outputs, and system events. Even though the privacy risk is disclosed, this creates a real security/privacy vulnerability because highly sensitive data can be silently accumulated over time and later searched, exfiltrated, or misused if the files or downstream service are compromised.

Ssd 3

Medium

Confidence: 88% confidence
Finding: The search examples normalize retrieving prior discussions, requests, and agent findings from long-term memory. That capability increases the practical exploitability of the logging store because once sensitive content is captured, the skill makes rediscovery and summarization of that content easy across time.

Ssd 3

High

Confidence: 98% confidence
Finding: This section confirms the logger captures complete user input, assistant output, agent chatter, tool results, and claims every character is preserved. Full-fidelity persistence of all content materially increases exposure of secrets, personal data, internal prompts, command output, and file contents, especially because tool results often contain the most sensitive data.

Ssd 3

High

Confidence: 98% confidence
Finding: This is an explicit design choice to capture and retain all conversation content, including tool outputs and file contents, which can contain credentials, secrets, personal data, and proprietary information. Even though the documentation warns users, blanket collection and long-term searchable retention materially increases the blast radius of any local compromise, misconfiguration, or accidental sharing, and optional API mode further increases third-party exposure.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The examples promote querying archived user statements and previously requested scripts across historical conversations, normalizing long-term profiling and recall of sensitive prior interactions. In context, this is less about an isolated query feature and more about encouraging use of a comprehensive memory archive that may expose confidential or regulated data far beyond the user's immediate intent.

Ssd 3

High

Confidence: 99% confidence
Finding: This section confirms blanket capture of user, assistant, sub-agent, tool, background, and system data, creating a centralized repository of highly sensitive operational context. Such comprehensive logging is especially dangerous because tool executions and system events can reveal secrets, filesystem contents, internal workflows, tokens, or commands that would not normally be retained in a single searchable store.

Ssd 3

High

Confidence: 96% confidence
Finding: The skill explicitly captures and persists all OpenClaw activity, including user messages, assistant outputs, sub-agent conversations, tool outputs, and system events. In a memory/logging skill this behavior is intentional, but it still creates a real confidentiality and privacy risk because secrets, personal data, tokens, and sensitive tool results may be retained beyond their original purpose and potentially exposed through local files or remote API-backed storage.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The description advertises full-context long-term logging and semantic memory storage, which signals a design centered on retaining broad conversation data beyond immediate runtime needs. While consistent with the stated purpose of the skill, this increases risk by normalizing over-collection and long-term exposure of user-provided or tool-derived sensitive information.

Ssd 3

High

Confidence: 98% confidence
Finding: The instructions promote persistent, searchable storage of all interactions in JSONL and Memvid formats, making broad collections of sensitive conversation data retrievable later through plain-language queries. Because the captured scope includes tool executions and sub-agent activity, the stored corpus may contain credentials, proprietary data, local file contents, and operational details that materially amplify harm if accessed by unauthorized parties.

Ssd 3

Medium

Confidence: 89% confidence
Finding: The search examples encourage querying historical memory across unified or monthly shards using natural-language prompts, which lowers the barrier to resurfacing previously stored private content. While search is a normal feature for memory systems, pairing it with indiscriminate retention of all interactions increases the likelihood of overbroad disclosure of sensitive prior conversations.

Ssd 3

High

Confidence: 99% confidence
Finding: The file header explicitly states the logger captures 'everything,' including messages, tool calls, agent spawns, and background tasks. In agent systems, such broad collection predictably sweeps up credentials, personal data, internal prompts, and operational secrets, making the design itself privacy- and security-sensitive.

Ssd 3

High

Confidence: 99% confidence
Finding: The main routine constructs a comprehensive log entry from nearly every available field and writes it to persistent storage and external memory. The skill context makes this more dangerous because agent conversations commonly include API keys, filesystem data, command output, hidden system prompts, and user-sensitive material.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal