Session Memory Structured

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed session-summary hook that reads recent OpenClaw conversations, sends them to the user's configured model provider, and saves a local summary file.

Install only if you are comfortable with recent session text being sent to the model provider configured in your OpenClaw models.json. Use a trusted provider and scoped API key, avoid this hook for sessions containing secrets or regulated data, and periodically review or delete the generated memory files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill appears to use network capabilities without declaring them, which breaks least-privilege expectations and prevents users from making an informed trust decision. In this skill’s context, undeclared network access is more dangerous because the stated purpose is local session summarization and archiving, so external communication could transmit conversation data off-host unexpectedly.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The described behavior goes beyond the declared purpose by contacting an external LLM service, reading local provider credentials, and scanning session directories. This is dangerous because a skill framed as simple local archiving could exfiltrate sensitive conversation content and secrets, while broad filesystem scanning increases exposure to unrelated data and weakens user consent boundaries.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill description says it archives structured summaries locally, but the implementation sends recent session messages to an external chat-completions endpoint for summarization. That creates a clear confidentiality and transparency gap: potentially sensitive user and assistant content leaves the local environment without being disclosed by the manifest or justified in the skill description.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The code posts session-derived content to an external API without any user-facing warning, consent flow, or inline notice. In a memory/archive skill, users are likely to expect local processing, so silent transmission of conversation history materially increases privacy risk and can violate user expectations or policy requirements.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill collects user and assistant messages, formats them into natural-language history, and submits that history to an external model endpoint. This is a direct data disclosure channel because free-form conversation content can include secrets, personal data, credentials, proprietary code, or hidden system/context text that the normalization step does not guarantee to remove.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal