Security audit

Concept Ledger

Security checks across malware telemetry and agentic risk

Overview

Concept Ledger is a local terminology-tracking plugin whose conversation scanning, local persistence, and interventions are disclosed and aligned with its stated purpose.

Install this only if you want a plugin to continuously track terminology from conversations and keep a local cross-session glossary. Review or delete files under ~/.openclaw/concept-ledger if needed, use separate projectId values for isolation, and disable autoIntervene if you do not want automatic conversation nudges.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The code comment explicitly states block-severity signals should not be auto-sent, but the implementation appends them to the intervention output anyway. In a plugin that injects text back into the conversation, this mismatch can cause higher-severity internal detection output to be surfaced automatically, potentially altering model behavior or exposing internal state without confirmation.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The freeze function explicitly bypasses the state machine by directly setting status to "frozen" rather than using transition validation. That allows callers to skip required intermediate states such as vague → forming → clear and can violate invariants the rest of the ledger may rely on, leading to inconsistent or unauthorized state changes. In this skill context the issue is integrity-related rather than code-execution-related, but it is still a real logic flaw because it undermines the documented lifecycle guarantees.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The README states the plugin 'automatically detects' issues and 'intervenes at the right moment' without manual commands, which implies broad passive activation during normal conversation. In an agent skill/plugin context, vague auto-invocation criteria can cause the capability to trigger on unrelated user inputs, increasing the chance of unintended behavior, surprise interventions, and over-collection or processing of conversation content.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The plugin persists conversation-derived concept data to storage during normal operation without any visible disclosure, consent flow, or user-facing indication in this file. Because the ledger is built from session content and later reused, this creates a privacy and data-retention risk if users are unaware their conversation content is being stored across turns or sessions.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: At session end, the plugin finalizes and saves the ledger again, persisting tracked conversation concepts without any explicit disclosure in the shown code. This extends the privacy risk by ensuring session-derived data survives beyond the active interaction and can influence later prompts.

VirusTotal

60/60 vendors flagged this plugin as clean.

View on VirusTotal