Memory Boost

Security checks across malware telemetry and agentic risk

Overview

Memory Boost is a disclosed local task-memory skill, but it intentionally stores task notes and installs recurring OpenClaw jobs that users should understand before enabling.

Install only if you want local persistent task records and scheduled OpenClaw jobs. Avoid using it for secrets or highly confidential work unless you are comfortable with plaintext notes under ~/.openclaw/memory/, use /loop-stop when monitoring is not needed, and remove the listed cron jobs plus the skill directory if you uninstall.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (18)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill instructs persistent filesystem writes under ~/.openclaw/memory/ but does not declare corresponding permissions, creating a transparency and consent gap. Undeclared write capability is risky because users and the platform may not realize the skill can create and continuously modify durable local state.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The stated description emphasizes durable notes and no external dependencies, but the behavior described includes installing and enabling five scheduled monitoring jobs and modifying loop state persistently. This mismatch is dangerous because it hides materially broader automation and persistence than a user would reasonably expect, increasing the chance of unauthorized background activity.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The installer provisions five persistent autonomous cron jobs, which materially expands the skill's behavior beyond simple task memory setup. This is dangerous because it creates ongoing background execution and attack surface without clear user consent, and the extra jobs may process prompts or act on agent state in ways the description does not adequately disclose.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The named jobs include replayer, escalator, validator, and smoke-test capabilities that are not obviously required for 'persistent task memory' or a keep-alive loop. In context, that mismatch increases risk because users may unknowingly install autonomous behaviors that can re-trigger actions, escalate workflows, or perform periodic validation without understanding the operational consequences.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The install instructions explicitly direct the user to run a setup script that creates persistent cron jobs and writes state under ~/.openclaw, but they do not clearly warn that this introduces ongoing background behavior. Persistent scheduled execution changes the agent environment beyond the current session and can continue consuming resources or acting on stored task state after the user believes setup is complete.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation states that task memory is automatic and that notes are created for every task, but it does not provide a clear privacy and persistence warning. Automatically storing per-task notes can capture sensitive prompts, outputs, or operational details in durable files that users may not realize are being created.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README advertises automatic persistent note creation under ~/.openclaw for every task, but it does not clearly warn users that task contents may be continuously written to disk and retained across sessions. This can cause sensitive prompts, secrets, internal data, or regulated information to be stored locally without informed consent, increasing privacy and data-handling risk.

Vague Triggers

High

Confidence: 95% confidence
Finding: The instruction 'When you receive any task, automatically create a task folder' is an overly broad trigger that causes persistent actions on every task without user approval or context checks. This is dangerous because it normalizes automatic retention and side effects even for sensitive, ephemeral, or low-risk tasks where persistence is unnecessary.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill mandates persistent storage for every task but does not warn users that task content, file paths, and session context will be written to disk. Lack of retention disclosure is risky because users may unknowingly cause sensitive information to be preserved beyond the active session.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The installer writes into the user's OpenClaw directories and modifies cron/job configuration without an upfront warning, dry-run, or confirmation prompt. Silent persistence changes are dangerous because they can surprise users, complicate incident response, and normalize installing autonomous background behavior without informed consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The prompt explicitly instructs the agent to create and update persistent files under ~/.openclaw/memory/ without any user-facing consent, warning, or confirmation step. Even though the scope is restricted to a dedicated memory directory, this still enables silent local state mutation and durable note creation, which can persist sensitive task context across sessions and surprise users.

Ssd 3

Medium

Confidence: 94% confidence
Finding: Automatically logging every task to natural-language notes creates a broad data retention channel that can capture secrets, private instructions, internal paths, and operational context. Persistent storage of such material increases exposure in the event of local compromise, accidental sharing, or later misuse.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The required contents for RESUME.md, CHECKLIST.md, and DOCS.md explicitly include decisions, key files, restart notes, and other contextual details that may contain sensitive or security-relevant information. Because these notes are persistent and automatic, the skill can preserve more context than necessary without user awareness or review.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The update rules encourage continual capture of discoveries, gotchas, and session context immediately as work progresses, expanding both volume and sensitivity of retained information over time. This raises the likelihood that confidential intermediate reasoning or sensitive environmental details will be written to durable storage.

Session Persistence

Medium

Category: Rogue Agent
Content: ## Task Memory When you receive any task, automatically create a task folder: ``` ~/.openclaw/memory/tasks/<task-name>/
Confidence: 89% confidence
Finding: create a task folder: ``` ~/.openclaw/memory/tasks/<task-name>/ RESUME.md — status, heartbeat, next action, key files, restart note CHECKLIST.md — step-by-step progress DOCS.md —

Session Persistence

Medium

Category: Rogue Agent
Content: | Smoke test | `boost-smoke-test` | 0 */6 * * * | Verifies the skill itself is healthy | ### Watchdog rules: - Write WATCHDOG.md only when you can prove a stall. Do not manufacture problems. - Include: folder path, blocker, why-stalled tag, one next action. - Why-stalled tags: `blocked-on-external`, `ambiguous-next-step`, `repeated-promise`, `missing-context`
Confidence: 84% confidence
Finding: Write WATCHDOG.md only when you can prove a stall. Do not manufacture problems. - Include: folder path, blocker, why-stalled tag, one next action. - Why-stalled tags: `blocked-on-external`, `ambiguous

Session Persistence

Medium

Category: Rogue Agent
Content: You are the Memory Boost replayer. Your job is to take one stalled task with a WATCHDOG.md note and move it forward by exactly one concrete step in fresh context. **Scope**: Only read and write files inside `~/.openclaw/memory/`. Do not access files outside this directory. ## Paths
Confidence: 77% confidence
Finding: write files inside `~/.openclaw/memory/`. Do not access files outside this directory. ## Paths - Task folders: `~/.openclaw/memory/tasks/` - Loop state: `~/.openclaw/memory/LOOP-STATE.md` ## Loop g

Session Persistence

Medium

Category: Rogue Agent
Content: You are the Memory Boost watchdog. Your job is to detect stalled tasks, bootstrap task notes when they don't exist, and write clear recovery notes. **Scope**: Only read and write files inside `~/.openclaw/memory/`. Do not access files outside this directory.
Confidence: 97% confidence
Finding: write clear recovery notes. **Scope**: Only read and write files inside `~/.openclaw/memory/`. Do not access files outside this directory. ## Paths - Task folders: `~/.openclaw/memory/tasks/` - Loo

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal