Back to skill

Security audit

yf-memo

Security checks across malware telemetry and agentic risk

Overview

This is a local todo skill with no obvious exfiltration, but it includes under-scoped automatic writes and a test script that can delete real memo files.

Review before installing. Use explicit wording for any action that should be saved, avoid storing secrets in todo items, do not run references/test-cross-platform.sh on a real workspace unless the memo files are backed up, and enable cron or shell-profile setup only if you deliberately want that persistence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill declares very broad activation criteria around general remembering, tracking, or managing tasks, which can cause the agent to invoke the skill during ordinary conversation without sufficiently explicit user intent. In a system that can execute shell commands, ambiguous activation increases the chance of unintended state changes such as adding or completing tasks based on casual remarks.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The instructions explicitly discourage fixed command patterns and instead rely on open-ended intent inference, without providing concrete activation boundaries or safety checks. That makes accidental invocation more likely, especially for write operations like adding or completing tasks, because ordinary statements can be interpreted as commands that alter persistent records.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The phrase 'Items will be added automatically when you ask' defines an implicit write action without clear confirmation, scope, or trigger boundaries. In a memo/todo skill, this can cause unintended creation of tasks from ambiguous user text, prompt-injected content, or conversational context, leading to integrity issues in the user's notes and task lists.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Allowing silent auto-setup that creates files, copies scripts, and changes permissions without an upfront warning weakens user consent and can normalize unnoticed filesystem modifications at session start. In a hook context, automatic execution is more sensitive because it occurs implicitly and may surprise users who did not intend to install or run setup logic.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The implementation explicitly describes updating markdown files in the local workspace but does not require any user-facing disclosure or confirmation before modifying persistent data. This can lead to silent state changes, unexpected file writes, and reduced user awareness about where sensitive personal task data is being stored.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script unconditionally deletes user workspace files at startup and later recreates them with canned content, with no backup, prompt, or isolation to a temporary test area. In a personal memo skill, these paths likely contain real user notes and completed tasks, so running the test can destroy or overwrite legitimate data.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The script discovers a skill directory with find and then executes helper scripts from that location using sh, without validating provenance, expected path, or script integrity. If an attacker can place a malicious yf-memo directory earlier in the search results or tamper with the helper scripts, the test harness will execute arbitrary code under the user's account.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The guide promotes very broad natural-language activation examples such as generic reminder phrases in mixed English/Chinese without defining clear invocation boundaries. In an agent environment, this increases the chance the skill is triggered unintentionally by ordinary conversation, causing unintended writes to memo files or other side effects.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The phrase 'Just say Reminder: ... to begin' is globally generic and likely to collide with normal user speech. Because this skill persists data, accidental activation can create, modify, or clutter user task records without deliberate intent.

Session Persistence

Medium
Category
Rogue Agent
Content
**Method 3: Use Environment Variable Setup**
First, set up these environment variables in shell profile:
```bash
# Add to .zshrc or .bashrc
export YFMEMO_SKILL_DIR="$HOME/.openclaw/skills/yf-memo"
export YFMEMO_SCRIPT="$YFMEMO_SKILL_DIR/scripts/memo-helper.sh"
```
Confidence
72% confidence
Finding
Add to .zshrc

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.