Agent Memory Persistent Workspace Memory System

Security checks across static analysis, malware telemetry, and agentic risk

Overview

Prompt-injection indicators were detected in the submitted artifacts (system-prompt-override); human review is required before treating this skill as clean.

Install only if you are comfortable with your agent reading and updating local memory files across sessions. Keep the workspace private, avoid storing secrets, review persistent memory regularly, and verify the generated files exist before depending on the system. ClawScan detected prompt-injection indicators (system-prompt-override), so this skill requires review even though the model response was benign.

Static analysis

Prompt injection instructions

Warn

Finding: Prompt-injection style instruction pattern detected.

Prompt injection instructions

Warn

Finding: Prompt-injection style instruction pattern detected.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI06: Memory and Context Poisoning

Medium

What this means

Future sessions may rely on old or incorrect memory, and private profile or project details can persist in workspace files.

Why it was flagged

The skill intentionally makes persistent workspace files part of the agent's recurring context and instructions. If those files become stale, overly broad, or tampered with, they could steer future sessions.

Skill content

Check HANDOFF.md — if it has content, read it first and follow it, then clear it ... Read MEMORY.md

Recommendation

Review HANDOFF.md, MEMORY.md, USER.md, and memory/owner files regularly; avoid storing secrets; and instruct the agent to treat memory as context to verify rather than unquestioned authority.

#ASI09: Human-Agent Trust Exploitation

Low

What this means

A user could overestimate the privacy boundary between direct sessions and group or channel sessions.

Why it was flagged

The wording presents strong isolation, while the artifacts show a file-and-instruction based approach rather than a technical enforcement boundary.

Skill content

cross-channel isolation so group chats never contaminate private sessions

Recommendation

Treat channel isolation as an operating convention, not a guaranteed security control; do not place highly sensitive information in shared workspaces unless your agent framework enforces access boundaries.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

The setup may be incomplete even though the documentation says one command creates the full structure.

Why it was flagged

The script references root template files that are not present in the supplied manifest, so the advertised setup may skip core files and rely on warnings.

Skill content

TEMPLATE_FILES = [("AGENTS.md.template", "AGENTS.md"), ...]; if not template_path.exists(): print(f"  WARNING: Template not found: {template_name}"); continue

Recommendation

After running the script, verify that AGENTS.md, USER.md, MASTER_MAP.md, MEMORY.md, HEARTBEAT.md, and HANDOFF.md were actually created before relying on the memory workflow.