Dream

Security checks across malware telemetry and agentic risk

Overview

This looks like a real memory-management skill, but it silently rewrites and permanently archives personal memory with weak user controls.

Install only if you intentionally want OpenClaw to maintain a local long-term memory system that can silently process conversations and keep an archive indefinitely. Before relying on it, review the vault path, inspect MEMORY.md and ledger.md regularly, avoid storing sensitive topics unless permanent retention is acceptable, and consider adding confirmations, narrower triggers, path restrictions, and a real purge workflow for forgotten data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (11)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs the agent to automatically persist user-provided information into MEMORY.md and daily memory logs during live conversation without clear, contemporaneous user consent or notice. That creates a privacy and surprise-write risk, especially because the stored content includes corrections, decisions, and project details that may be sensitive or long-lived.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The scheduled 03:30 distillation silently reads prior conversation logs and modifies long-term memory files in the background with no user-facing notification. Silent background persistence and transformation of personal data is dangerous because users may not realize retention, summarization, and archival are occurring, preventing meaningful consent or correction.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The forget operation performs semantic matching and immediate deletion from active memory without confirmation, making accidental or overbroad removal likely. Because semantic search can match more than the user's intended target, the lack of a review step can cause silent loss of important memory state and undermine user control.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The trigger phrase `review` is generic and likely to appear in ordinary conversation, which can cause the skill to activate unintentionally. In a memory-management skill, accidental activation can lead to unexpected processing of personal data, archiving, or memory modification without a clear user intent boundary.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The README describes silent scheduled operation every night without clearly defining opt-in, exclusions, or safeguards around when data is processed. This increases the risk of unattended handling of sensitive user content and makes it easier for the skill to act beyond what a user reasonably expects.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill is presented as actively maintaining and distilling user memory, but the README does not prominently warn that information may be retained and archived persistently. Users may not realize that personal data is being copied into long-lived stores, which creates privacy and consent risks.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill persistently records broad categories of user conversation content, including preferences, relationships, and contextual details, into durable storage and does so partly automatically. This creates a meaningful privacy risk because sensitive personal information is being normalized into long-term memory without tight minimization, purpose limitation, or explicit consent controls.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The distillation workflow directs the agent to reread conversation logs, elevate selected content into injected context, and permanently archive completed items in a ledger. That increases privacy and persistence risk because information can move from ephemeral logs into highly durable, repeatedly surfaced memory, broadening exposure and making mistakes or sensitive inferences harder to contain.

Ssd 3

Medium

Confidence: 99% confidence
Finding: The forget feature removes content from active memory while explicitly preserving it in a permanent archive, which can mislead users into believing their data was deleted when it was not. This is dangerous because it defeats user expectations around erasure and could retain sensitive information indefinitely despite a removal request.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The design explicitly preserves long-term memory indefinitely and can restore previously forgotten content when it re-emerges. That creates a significant privacy and data-governance risk because sensitive information may persist forever and reappear after a user believed it had been cleared.

Ssd 3

Medium

Confidence: 92% confidence
Finding: These commands explicitly enable natural-language retrieval of remembered personal information and searching across permanent archives, which increases the chance of overbroad disclosure in normal conversation. Even if intended as a feature, exposing personal memory through simple prompts can leak sensitive data to anyone with access to the session or logs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal