Back to skill

Security audit

Anamnesis Hub

Security checks across malware telemetry and agentic risk

Overview

This memory skill is not clearly malicious, but it needs Review because it can mine conversations, send memory content to external services, persist it long term, edit OpenClaw configuration, schedule jobs, and clean up session files.

Install only if you intentionally want broad, persistent OpenClaw memory. Before enabling it, review cloud sync destinations, disable conversation access unless needed, avoid using it with secrets or regulated data, store tokens carefully, run dry-run modes first, inspect cron jobs, and back up memory/session files before cleanup, reset, or uninstall commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (43)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and documents capabilities that include shell execution, network access, file reads/writes, and environment interaction, but the skill metadata shown here declares no permissions. That mismatch can prevent informed consent and proper sandboxing, especially because the documented setup and automation scripts can install software, modify configs, and persist scheduled tasks.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior materially exceeds the high-level description by including software installation from the internet, credential collection and storage, plugin configuration changes, cron creation, session-history scanning, and deletion/trashing of files. This is dangerous because users may enable the skill expecting memory features while it can also alter the host, collect sensitive tokens, and process historical data beyond what was clearly disclosed.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The header comment states the script only modifies files under ~/.openclaw except for the standard Ollama installer, but the Intel install path also writes to /opt and /usr/local/bin via sudo. This is a real integrity and transparency issue because users may grant trust based on inaccurate scope-of-change claims and unknowingly permit broader system modification.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script is presented as an extraction tool, but it also renames and later trashes source session files as part of processing. That side effect can destroy or hide original conversation records unexpectedly, which is risky for auditability, incident response, and user trust.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The implementation sends session-derived message content to a remote MemOS API, while the script description suggests local extraction from session files. That mismatch can cause users to unknowingly exfiltrate sensitive conversation data to a third-party service.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The cleanup routine trashes multiple categories of session artifacts beyond the core extraction purpose, including trajectory, reset, deleted, and analyzed files. Broad cleanup coupled to a memory-extraction utility increases the chance of unintended data loss and removes forensic context that may be needed later.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README states that every conversation and session is automatically indexed, retrieved, and analyzed for promotion into long-term memory, but it does not clearly warn users that potentially sensitive conversation content may be persistently stored and processed. In a memory/persistence skill, this omission is materially risky because users may unknowingly feed secrets, personal data, or regulated information into local databases, markdown logs, vector stores, and downstream automation pipelines.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README presents optional cloud recall and three-way sync as features but does not prominently disclose that enabling these components may transmit user memory content off-device to a third-party cloud service. Because this skill is specifically designed to aggregate long-term agent memory, the missing warning increases the chance that sensitive personal or organizational data will be synced externally without informed consent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill describes automatic cloud sync, pre-reply context injection, and multiple file-writing/extraction pipelines without clear privacy warnings or data-handling boundaries. In a memory skill, those features increase the likelihood that sensitive prompts, logs, preferences, or tokens are copied across storage layers or sent to third-party/cloud systems without the user appreciating the impact.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The architecture describes cloud capture, recall, and cross-device synchronization of memory without a clear privacy notice, consent model, or data-transmission boundaries. In a memory system that stores user facts, preferences, and conversation-derived content, this omission can cause users and deployers to unknowingly send sensitive data to remote services.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The recommended configuration enables broad conversation access and automatic memory capture, but the document does not prominently warn that user interactions may be collected, stored, and potentially synchronized. That is dangerous because operators may deploy invasive defaults without informed consent or appropriate data-handling controls.

Missing User Warnings

High
Confidence
98% confidence
Finding
The document suggests storing sensitive data protection via SHA-256 hashing with a publicly documented fixed salt, which does not safely protect secrets for operational use. A known salt and unspecialized fast hash make offline guessing feasible for low-entropy values such as phone numbers, emails, and IDs, and hashing is not reversible access control or secure secret storage.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This documentation describes approving candidate memories into long-term storage files such as ARCHIVE.md and MEMORY.md, but it does not warn the operator that approved entries may contain sensitive personal data, inferred traits, or incorrect information that becomes persistent and potentially synchronized across systems. In a memory-management skill, omission of privacy and data-retention warnings increases the risk of unintended storage of sensitive user information and makes unsafe approval workflows more likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly describes pulling memos from a cloud API and later pushing local memory artifacts back to the cloud, but it does not provide any explicit privacy warning, consent gate, or data-classification boundary. In a memory system that also processes sessions, preferences, and extracted details, this omission can cause users to unknowingly synchronize sensitive personal or operational data to external services and model APIs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide configures a cloud memory plugin with an API token, remote server URL, and conversation access, but does not clearly warn that conversation-derived memory may be transmitted to and stored by a third-party service. In a memory/persistence skill, this omission materially increases the chance that operators will enable cross-device sync without understanding the privacy, retention, and data-governance consequences.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The cron-based pull/push synchronization instructions normalize automated transfer of local memory content to a remote cloud service without an explicit warning that sensitive notes, preferences, or other persisted context may be uploaded. Because the skill is specifically designed for persistent agent memory, the synced data is likely to contain high-sensitivity natural-language content over time.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The file documents pushing local memory content to a cloud service but does not provide a clear privacy warning, consent requirement, or guidance about sensitive data in memory files. In the context of a memory architecture for AI agents, those files may contain highly sensitive user data, so omission of an explicit transmission warning can lead to unintentional exfiltration to a third-party cloud backend.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs users to reset processing state and reprocess historical sessions but does not prominently warn that this can lead to destructive state loss, duplicate processing, or difficult-to-reverse operational changes. In an agent memory system, reset actions can alter persisted memory behavior and should be clearly gated with backup and confirmation guidance.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide tells users to delete cached memory files with rm but does not clearly warn that local cached content will be removed and must be re-fetched from the cloud. If cloud sync is incomplete, unavailable, or inconsistent, users may lose access to local data or trigger unintended re-ingestion behavior.

Missing User Warnings

High
Confidence
99% confidence
Finding
The instructions explicitly delete the facts database and then attempt to rebuild it from ARCHIVE.md, but the rebuild may be incomplete or fail, causing irreversible data loss if the backup step is skipped or the seed source is stale. Because this database is part of a persistent memory architecture, deletion has direct integrity and availability consequences.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The migration guidance tells users to copy the .env file containing API tokens to a new device without any warning about secret handling, secure transfer, or token rotation. This increases the risk of credential exposure during migration, especially across devices or network transfers.

Missing User Warnings

High
Confidence
99% confidence
Finding
The uninstall section includes multiple recursive and force deletion commands that permanently remove workspace data, memory files, and scripts, but it lacks a prominent warning about irreversibility and scope. In a memory-management skill, these commands directly target the user's persisted data and therefore carry substantial risk of accidental destructive misuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script prompts for a MemOS API token and then persists it directly into ~/.openclaw/openclaw.json without clearly warning the user that the credential will be stored on disk in plaintext. This increases the risk of credential disclosure through local file access, backups, sync tools, or accidental sharing of configuration files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends conversation-derived memory content to a remote MemOS API for structured extraction, including facts, preferences, and potentially sensitive personal details, without any explicit consent, warning, or disclosure in the code path. In a memory-management skill, this context increases the risk because the data being handled is specifically long-term personal memory, making privacy harm and unauthorized third-party disclosure more severe.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script modifies `ARCHIVE.md` and `MEMORY.md` automatically through a helper writer without prompting the user or making the side effect explicit at runtime. In a persistent-memory skill, silent writes are risky because they can permanently store incorrect, sensitive, or prompt-injected content into long-term local memory files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.destructive_delete_command

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
references/upgrade-reset.md:174