Memory Onboarding Wizard

Security checks across malware telemetry and agentic risk

Overview

This is a local setup wizard that creates disclosed OpenClaw memory files, with a privacy caveat because USER.md stores basic personal context for future sessions.

Install only if you want local OpenClaw memory files created. Before running it, confirm the workspace path, and after setup review USER.md, MEMORY.md, HEARTBEAT.md, and the daily note; remove sensitive personal details or default heartbeat tasks you do not want future agents to use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The setup text describes creating multiple files, including USER.md populated from personal details, but it does not prominently warn users that personal information will be written to disk in the workspace. This is risky because users may disclose identifying data without understanding it will be stored persistently and potentially read in future sessions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script explicitly collects personal profile data (name, timezone, use case) and persists it to USER.md without a clear privacy notice, consent prompt for storage, or guidance on sensitivity. In an agent-memory setup, these files are meant to be read across sessions, so the data is intentionally made persistent and may be exposed to other tools, backups, or future prompts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal