Back to skill

Security audit

proclaw-omni-memory-ultimate

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate memory and autonomous-agent toolkit, but it broadly stores and reuses user/project information with weak consent, retention, and safety controls.

Install only in a workspace where durable local memory is acceptable. Avoid storing secrets, credentials, regulated personal data, or confidential project details; inspect generated memory files regularly; avoid auto consolidation, restore, federation, and multimodal search on sensitive data unless you have reviewed the effects; and prefer sandboxing or a disposable workspace for evaluation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (44)

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The top-level description presents the tool as only identifying important information and asking follow-up questions, but the implementation also persists confirmed user content to disk as durable state. That mismatch can mislead operators and users about the data-handling behavior, increasing the chance that sensitive content is provided without informed consent.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The module advertises 'privacy protection', but request_memory() returns the full stored memory object to any agent listed in authorized_agents with no field-level filtering, redaction, or purpose restriction. In a memory-sharing system, this can expose sensitive content far beyond what the documentation implies, especially because the privacy check is only a weak keyword scan during sharing and does not sanitize data before disclosure.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The CLI exposes a --memories parameter but never uses it, instead processing hardcoded sample data for analysis, gaps, and confidence operations. This is a real security-relevant integrity issue because operators may believe they are analyzing real memory data when the tool is actually producing misleading results, which can cause unsafe downstream decisions and conceal missing or stale knowledge.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
`search_by_image()` appears to be a retrieval operation, but it calls `self.image_encoder.encode(image_data)`, and `encode()` writes the supplied bytes to disk. This creates an unexpected persistence side effect for query data, which can retain sensitive user-provided images, expand the on-disk corpus, and violate least-surprise/privacy expectations during search.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
`search_by_audio()` similarly invokes `self.audio_encoder.encode(audio_data)`, and that method writes the query audio to disk before computing embeddings. Search requests therefore leave persistent audio artifacts even though the method contract suggests retrieval only, which can expose sensitive recordings and accumulate unneeded retained data.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest description is extremely broad and markets the skill for building autonomous, self-evolving agents with intrinsic drive, proactive evolution, and self-breakthrough capabilities. Broad activation language increases the chance the skill is invoked outside narrowly intended contexts, which is risky here because the skill advertises autonomous behavior and persistent memory features that could modify state without clear user scoping.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation explicitly instructs users to start an autonomous agent and execute a life cycle, but does not warn that the system may act proactively, generate its own goals, or write to persistent memory/state. In the context of this skill, that omission is more dangerous because the rest of the file repeatedly emphasizes self-driven behavior, evolution, learning, backups, and non-expiring memory, which can lead users to enable ongoing autonomous activity without understanding its persistence or scope.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow explicitly routes user input into persistent components such as WAL, SESSION-STATE.md, a knowledge graph, and long-term memory, but the document provides no consent, minimization, retention, or deletion controls. In an agent skill context, this creates a real privacy and integrity risk because routine conversations may be stored or modified without the user's awareness.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document promotes persistent storage of user memory content and explicitly emphasizes 'never delete' semantics, but it does not mention consent, retention limits, data minimization, or handling of sensitive personal data. In a memory system context, this omission is security-relevant because implementers may store personal information indefinitely without safeguards, increasing privacy, compliance, and breach impact.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document explicitly instructs the system to persist user preferences, decisions, corrections, and deadlines to SESSION-STATE, vector storage, and feedback stores before responding, but it provides no consent, notice, minimization, or sensitivity filtering. This creates a real privacy and data-governance risk because broad user-provided content may be retained automatically and durably without the user's awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The daily log and long-term memory design stores raw user statements, decisions, and remembered content in persistent markdown files and long-term memory indexes, again without warning users that their conversations may be logged and retained. Because the examples show plain-language transcript storage, the risk includes unintended retention of personal, confidential, or regulated information far beyond what is needed for task completion.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The project-memory trigger phrases are broad enough to match ordinary planning language such as '选择', '项目需要', and '因为', which can cause the system to persist routine conversation as project memory without sufficient confirmation. In a memory skill, this creates a prompt-injection and data-integrity risk because untrusted user text may be over-stored and later retrieved as if it were durable project guidance.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The reference-memory triggers use highly generic terms like '在', '位置', '路径', and '地址', which are common in normal conversation and can lead to unintended activation. In a system that stores and recalls references, this raises the chance of capturing sensitive paths, service locations, or attacker-supplied references that may later influence agent behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The templates explicitly encourage storing user statements, profile details, preferences, and daily logs, but provide no guardrails for avoiding sensitive personal data, minimizing retention, or obtaining consent. In an agent skill centered on persistent memory, that omission can lead to over-collection and long-term storage of personal or confidential information that is not necessary for task completion.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document directs the agent to persist user inputs into SESSION-STATE.md and a vector store before responding, but it does not require notice, consent, minimization, or filtering of sensitive data. This creates a real privacy and retention risk because broad user content may be stored durably across sessions even when the user did not expect long-term memory.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The trigger table mandates storage for broad classes of user content including preferences, decisions, corrections, deadlines, and concrete details without any user-facing disclosure or sensitivity check. In this context, that broad mandatory capture increases the chance that personal or sensitive information is retained unnecessarily and later reused or exposed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code writes learned user content and pending signal metadata to a predictable JSON file under the workspace without any user-facing warning at the point of collection or storage. Silent persistence of user-derived content creates privacy and data-governance risk, especially if users may include sensitive personal, project, or credential-related information.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The code persistently writes identity, goals, life state, and consciousness-related data to disk automatically in agent_core_state.json without any explicit user consent, notice, retention control, or file-permission hardening. In an agent skill context, silent persistence can expose potentially sensitive user-derived or operational data to other local users, backups, logs, or later processes, especially when the default path is predictable and relative.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script automatically creates persistent memory files from extracted log content without any confirmation, dry-run mode, or explicit disclosure at the point of modification. In an agent skill context, silent writes of user-derived data are dangerous because they can unexpectedly persist sensitive information and alter workspace state in ways the user did not authorize.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The pruning phase automatically archives old daily logs and rewrites MEMORY.md, which changes data location and index contents without a clear warning or approval step. This is risky because users may lose expected access paths to records, and the automated rewriting can silently remove references or interfere with auditability of past memory entries.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script prints recalled memory contents directly to stdout, and those memories can contain user/profile/project data. In a CLI or agent pipeline, stdout is often logged, captured, or shown to operators, so this can disclose sensitive stored context beyond the minimum necessary response.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The restore logic automatically moves any existing target directory to a backup location and then overwrites/restores data without any explicit confirmation, dry-run, or safety guard. In a backup/restore utility this creates a real integrity and availability risk: a caller can unintentionally replace live memory data, and failures during move/copy operations can leave data in an unexpected or partially restored state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
When auto_fix is enabled, the code writes repaired data back to disk through _save_cell with no write-path warning, preview, backup, or transactional safety. In a memory-management skill, silent mutation of persisted state can destroy evidence of corruption, overwrite valid-but-unexpected data, or be abused to alter records if an attacker can influence inputs or trigger checks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The store path persists arbitrary memory content and metadata to a local ChromaDB-backed directory without any notice, consent flow, retention controls, or sensitivity checks. In an agent skill context, this can silently retain prompts, secrets, personal data, or workspace-derived information across sessions, increasing privacy and data exposure risk if the workspace is shared, synced, or later exfiltrated.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The init flow creates files and directories in the current workspace, including SESSION-STATE.md and memory storage paths, without a prior warning or confirmation. While not directly code-execution-related, this can surprise users, alter repositories, leak operational context into tracked files, and normalize silent persistence in environments where workspace changes are sensitive.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.