ClawHub
Back to skill

Security audit

Biomimetic Memory Architecture

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate memory-management skill, but it gives scheduled automation broad power to persist, reorganize, and move private memory files with some under-disclosed or contradictory approval boundaries.

Install only if you want BMA to govern your OpenClaw memory workspace. Use a test workspace first, run dry-run/audit modes, review cron jobs and gateway config.patch commands before applying them, and back up memory/ before allowing Phase 2 migration. Keep voice profiling, infrastructure collection, metrics, and git backup disabled unless you explicitly need them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill directs the agent to inspect live host scheduler state using `openclaw cron list` and `crontab -l`, which goes beyond document distillation and requires host-environment introspection. Even if intended for maintenance, this expands the skill's authority into system enumeration and can expose sensitive operational details or normalize privileged access unrelated to the core task.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The lesson-imprint section instructs execution of shell and Python commands that mutate persistent state (`lessons.json`, `BOOTSTRAP.md`) during what is otherwise a markdown distillation workflow. This increases the attack surface by turning passive log processing into code-driven state modification, creating opportunities for unsafe side effects if logs or parameters are adversarially influenced.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The section presents the retention review as 'read-only by default' but then instructs the agent to immediately run a migration script that moves files and delete the audit report afterward. This is dangerous because it can cause non-obvious state changes to archival data under the guise of a safe audit, reducing operator awareness and increasing the chance of unintended data reorganization or loss of review artifacts.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill describes the audit flow as read-only, but within the same workflow it mandates automatic execution of a storage-modifying migration phase. That contradiction can mislead an agent or operator into approving or running destructive-seeming maintenance actions without understanding that files will actually be moved and process artifacts removed.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script advertises that it is 'safe to re-run' and 'won't overwrite existing files', but later it injects a principles block into an existing MEMORY.md when that section is missing. This is a real integrity issue because users may trust the non-destructive claim and run the installer on an existing workspace, causing unanticipated modification of user-authored content.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
During init, the script writes the generated vault passphrase to a local file at $VAULT_PASS_FILE even when a stronger backend such as a system keyring is intended. That creates a plaintext-at-rest exposure window and leaves recovery dependent on later deletion, so crashes, interruptions, backups, or permissive workspace handling could disclose the vault master secret.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README documents an execute mode for Phase 2 that compresses summaries, moves source files to cold archive, and rewrites references, but it does not clearly warn that this mutates user data and may be difficult to reverse if the audit report or rewrite logic is wrong. In a memory-management skill, users may run the provided commands directly from documentation, so insufficient safety warnings materially increase the chance of accidental data loss or corruption.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly describes automatic capture of user preferences and profile-like data from conversation into persistent memory files without requiring clear notice, consent, or user controls. In a memory architecture context, this increases privacy risk because sensitive personal traits, habits, schedules, or inferred preferences may be stored long-term and later retrieved or propagated beyond the user's immediate expectations.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill authorizes broad writes across memory files and appends a debrief without any explicit user-facing consent or warning that persistent data will be modified. In an agent setting, silent persistence is risky because it can store inaccurate, sensitive, or attacker-injected content and create long-lived downstream influence on future behavior.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The installation guide instructs the operator to execute configuration patch commands that alter system plugin settings and labels them as 'safe' partial updates without an explicit impact review or rollback guidance. In an agent-skill context, changing memory, indexing, and dreaming settings can materially affect data exposure, persistence, and system behavior, so encouraging blind execution increases the risk of unsafe reconfiguration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions authorize automatic file moves to a different archive location and deletion of the generated audit report without any explicit warning, preview, or confirmation step. Even if the moves are reversible, silent archival changes can disrupt retrieval, break assumptions about file locations, and remove evidence needed to review what the automation decided.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
ensure_bma_additions silently invokes lesson_imprint.py with 'init' and 'promote', suppressing output and ignoring failures. Even though the subprocesses are local, this is dangerous because an installer is performing additional workspace-modifying actions without a clear inline prompt or visibility, reducing user awareness and auditability.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer creates and injects substantial content into workspace files, including modifying an existing MEMORY.md if a target section is absent. This is a real safety problem because it changes persisted user data and operating instructions without a dedicated warning at the point of modification, which can surprise users and alter downstream agent behavior.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The verification script invokes `lesson_imprint.py init` as part of a check, which may create or modify workspace files under `memory/lesson-imprint` without clearly warning the user that running verification is not read-only. In a verification context, users reasonably expect inspection rather than mutation, so this can cause unintended state changes, mask setup issues, or overwrite initialization artifacts in the current workspace.

Ssd 3

Medium
Confidence
97% confidence
Finding
The generated agent instructions explicitly require persistent recording of user preferences, decisions, deadlines, and corrections to memory files by default. In context, this is a privacy-relevant data retention behavior that can accumulate sensitive personal and operational information without granular consent, increasing exposure if the workspace is accessed or synced elsewhere.

Ssd 3

Medium
Confidence
96% confidence
Finding
When enabled, the installer creates VOICE.md for ongoing analysis and retention of communication style for later ghostwriting. This is sensitive profiling of user behavior and writing patterns; even if presented as optional, it increases privacy risk and could facilitate impersonation or misuse if the stored profile is exposed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal