Back to skill

Security audit

Openclaw Auto Memory Skill

Security checks across malware telemetry and agentic risk

Overview

This auto-memory skill is review-worthy because it silently stores and reloads user context and has conflicting disclosures about background jobs, chat history, and data import.

Install only if you intentionally want durable, cross-session memory. Before enabling it, verify the Sidecar URL is localhost, protect the API key, inspect or pin the external GitHub setup, decide whether existing sessions may be imported, and list/remove cron jobs unless you explicitly want silent recurring capture, maintenance, or reminders.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill directs the agent to use environment-derived configuration and to install/start external services, but it does not declare corresponding permissions or capabilities. This reduces transparency and prevents users or hosting platforms from making informed trust decisions about network access and environment use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The manifest frames the skill as simple auto-memory and DB maintenance, but the documented behavior includes authenticated outbound API access, memory search/retrieval, autosave of chat history, and repository/service installation. That mismatch can cause users to approve the skill under a narrower trust model than the behavior actually requires.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The one-click install workflow instructs cloning a GitHub repository, configuring environment files, and starting Docker services, which materially expands the attack surface beyond a normal skill. Pulling and running external code and containers can lead to execution of unreviewed software on the host system.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The privacy section says the system stores structured facts rather than raw chat logs, yet later instructions allow full-session autosave/backup. This is a material privacy misrepresentation that could cause users to disclose sensitive information under false assumptions about retention scope.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The documented cron functionality includes a daily reminder or push-style behavior that is outside the stated scope of scheduled DB maintenance. Even if not overtly malicious, extra notification capabilities broaden data use and background activity beyond what users expect from the manifest.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill documentation instructs broad host orchestration: cloning a repo, configuring environment variables, and launching Dockerized services. For a memory skill, this is a substantial privilege and execution expansion that increases risk of arbitrary code execution, data exposure, or persistent host changes.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The document claims cron jobs are created only when explicitly requested, but earlier instructions say to create them automatically on install. This contradiction undermines informed consent for persistent background execution and can result in silent recurring processing of user data.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documentation claims only structured facts are stored, but elsewhere it instructs full chat-history autosave. This inconsistency is dangerous because it conceals the true sensitivity and volume of retained data, increasing privacy and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly says the agent will silently load and automatically capture memories across sessions without foregrounding consent, review, or deletion controls at the point of use. Even if data stays local, covert collection and resurfacing of user identity, preferences, and project context creates a privacy and trust risk because users may not realize sensitive information is being retained and reused.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Automatic cron setup and silent background memory capture are described without strong upfront disclosure that persistent jobs will be created and operate silently. Hidden background behavior is risky because users may not realize their conversations are being processed and retained on an ongoing basis.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs silent retrieval of prior stored memories at the start of fresh chats without user-facing disclosure. That hidden cross-session reuse of personal context can surprise users and may expose sensitive historical data in contexts where the user expected a fresh start.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly requests read access to .env for API_KEY and MEM_PUBLIC_URL, which can expose sensitive credentials to the skill runtime. Even though the path is limited, the manifest does not provide a clear user-facing warning that secrets will be read, increasing the risk of users granting access without understanding the credential exposure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The manifest defines an automated daily reminder job that pushes data via Telegram, creating an outbound data-sharing path for memory content or summaries. Because there is no explicit privacy warning about what data may be sent off-platform, users may unknowingly enable scheduled exfiltration of sensitive chat-derived information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The capture and autosave functions send arbitrary user-provided text to a Sidecar API with no consent prompt, warning, or data-classification guard. In an agent skill context, this can silently exfiltrate sensitive prompts, secrets, or personal data to a remote service, especially because the feature is designed for automatic memory capture.

Ssd 3

Medium
Confidence
95% confidence
Finding
Normalizing silent retention and reuse of conversation details encourages persistent profiling without meaningful user awareness. In an agent skill context, this is particularly risky because users often disclose personal, work, or operational information conversationally and may not expect it to be stored for future sessions.

Ssd 3

Medium
Confidence
97% confidence
Finding
The example workflow instructs the agent to silently capture the user's name, project, and preferences, then proactively surface them in later sessions. This demonstrates cross-session collection of personal and work-context data from ordinary chat, which can expose sensitive information to shoulder-surfing, shared-device users, or unintended recipients in a reopened session.

Ssd 3

Medium
Confidence
96% confidence
Finding
The deterministic triggers authorize broad automatic capture of identity, preferences, project details, decisions, corrections, and errors from routine conversation. This broad scope increases the chance that confidential business information, personal data, or operational details are stored without context-sensitive filtering or consent.

Ssd 3

Medium
Confidence
87% confidence
Finding
The instructions establish automatic retention of user conversation data across sessions and periodic summarization/backup. In a memory skill this behavior is expected, but it still creates meaningful privacy risk because personal, project, or confidential information can accumulate silently over time.

Ssd 3

Medium
Confidence
92% confidence
Finding
The fresh-chat and trigger-based instructions tell the agent to silently absorb and persist facts such as identity, preferences, projects, and corrections for later reuse. In context this is the core feature, but it is still dangerous without granular consent because it normalizes covert collection of potentially sensitive personal data.

Credential Access

High
Category
Privilege Escalation
Content
- http
    justification: "Required to capture/search/autosave memories via Sidecar API"

  # Filesystem access to .env config
  - id: env-read
    description: "Read .env files for API_KEY and MEM_PUBLIC_URL configuration"
    type: filesystem
Confidence
88% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
# Filesystem access to .env config
  - id: env-read
    description: "Read .env files for API_KEY and MEM_PUBLIC_URL configuration"
    type: filesystem
    access: read
    paths:
Confidence
90% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
type: filesystem
    access: read
    paths:
      - ".env"
    justification: "Required to load API credentials from project or script directory"

  # Background cron jobs (user must explicitly opt in)
Confidence
89% confidence
Finding
.env"

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.