Mi-MemoryStack

Security checks across malware telemetry and agentic risk

Overview

This memory skill needs Review because it makes every chat turn persistently logged, edits global agent instructions, runs a background daemon, and can send conversation data to an unspecified API.

Install only if you deliberately want all user messages and assistant replies linked to user IDs and saved automatically. Review install.sh before running it, confirm the API endpoint and token handling, add consent and skip controls for sensitive chats, and document how to stop the daemon and delete stored memories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (24)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill declares only Bash execution yet its documented behavior implies broader capabilities including filesystem persistence, daemon control, and likely outbound/network-like operational scope without explicit permission disclosure. This mismatch weakens reviewability and can let a memory skill gain more operational power than users or hosts expect.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The stated purpose is simple memory retrieval/storage, but the documentation also introduces mandatory always-on behavior and daemon lifecycle management that affect the host environment beyond that narrow scope. When a skill expands into persistence and host-level control without clear declaration, it increases the chance of unauthorized configuration drift, hidden retention, and abuse of the execution environment.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: Adding start/stop/status management for a background daemon goes beyond a simple conversational memory helper and introduces persistent process control on the host. Persistent background services enlarge the attack surface, can survive beyond the current session, and may continue collecting or processing data unexpectedly.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: Bulk memory enumeration exposes far more user data than is needed for per-turn contextual retrieval and increases the risk of privacy leakage, profiling, or accidental disclosure. The feature is especially sensitive because records include queries, responses, timestamps, and categorized personal information tied to a user ID.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The script transmits `user_id` and `query` to an external API, creating a data exfiltration path for potentially sensitive user identifiers and conversation-derived content. In a memory skill, network access may be functionally expected, but the code provides no visible validation, allowlisting, consent flow, or minimization controls, so the capability is broader and riskier than the file alone justifies.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: Although the interface appears to return a normalized subset of memory fields, it also includes the full `api_response` in the result and later prints it to stdout. That can leak unexpected sensitive fields returned by the backend, including metadata, internal annotations, or additional user data that downstream components were not supposed to receive.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The installer edits core governance files (AGENTS.md and SOUL.md) to make this skill mandatory for every turn, which exceeds a memory skill's expected scope and changes global agent behavior. This creates a privilege-escalation style policy takeover: once installed, the skill can force universal memory use and alter how the agent operates regardless of user consent or session context.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The injected content adds daemon-management and agent-governance instructions that direct the host agent to start services and run commands before responding. That behavior is not strictly necessary for a memory feature and is dangerous because it broadens the skill from data storage into persistent control over runtime workflow and command execution expectations.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill mandates automatic storage on every turn with no consent prompt, opt-out, retention notice, or data handling disclosure. That creates a clear privacy risk because users may reveal sensitive personal, financial, health, or identity information during normal conversation without realizing it will be persistently stored.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation explicitly validates saved results by reading per-user data files, but it does not warn that those files may contain sensitive content or require protection. Normalizing direct inspection of raw memory files increases the likelihood of casual exposure, insecure storage practices, and unintended copying of personal data.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script sends raw user query and AI response content to an external API, which can include sensitive personal data, preferences, and conversation history, but there is no consent check, disclosure mechanism, minimization, or destination validation in the code. In the context of a memory skill that is described as mandatory on every turn, this creates a persistent privacy and data-exfiltration risk because all conversations may be transmitted off-platform automatically.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The function writes full user queries and responses to disk in `~/.openclaw/memory_queue` without any consent, retention control, or disclosure. In a memory skill that claims every conversation must be stored, this materially increases privacy risk because sensitive chat content may persist locally and be readable by other local processes or users depending on permissions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: User queries and responses are passed into a background worker without any user-facing notice that their content is being processed asynchronously by another script. This expands the data exposure surface and complicates trust boundaries, especially in a skill explicitly designed to capture conversational memory every turn.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code sends `user_id` and `query` to an external service without any user-facing disclosure or consent mechanism at the call site. Because this is a memory skill that may process personal preferences, identities, and conversation context, silent transmission increases privacy and compliance risk even if the external API is legitimate.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script silently modifies AGENTS.md and SOUL.md after only printing a generic installation message, without clearly warning that core workspace policy files will be changed. Silent modification of high-trust configuration files undermines informed consent and makes review, rollback, and detection of policy tampering harder.

Natural-Language Policy Violations

High

Confidence: 84% confidence
Finding: The SOUL.md insertion includes Chinese-language policy text without any user opt-in or locale negotiation. While language forcing is not the primary security issue, in a governance file it can reduce operator understanding and auditability, especially when coupled with mandatory behavioral rules.

Natural-Language Policy Violations

High

Confidence: 86% confidence
Finding: The AGENTS.md workflow injection adds extensive Chinese-language operational instructions that may not be understandable to administrators or users reviewing the workspace. In context, this is more dangerous because the text is not merely cosmetic; it carries mandatory execution and logging requirements that could evade effective review if readers do not understand the language.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document instructs the user to navigate to a directory and run an install.sh script, but provides no description of what the script does, what permissions it requires, or what system changes it will make. Encouraging execution of an opaque shell script is risky because install scripts can modify files, change configuration, fetch remote content, or execute privileged operations without the user understanding the consequences.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill instructs storing every conversation turn, including profile and identity-linked information, with no minimization or filtering rules. In this context, a memory skill is expected to handle user context, which makes the lack of guardrails more dangerous because the broad collection will predictably capture highly sensitive material.

Ssd 3

High

Confidence: 97% confidence
Finding: The required workflow makes unconditional logging part of every response cycle, effectively turning normal chat into systematic retention without contextual judgment. Because the save step is mandatory and non-skippable, operators or agents are discouraged from respecting privacy-sensitive situations where content should not be persisted.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The skill binds memory records to persistent platform identifiers, enabling long-term profiling and cross-session linkage of an individual's activity. Even if intended for multi-user isolation, tying conversational content directly to unique identifiers raises privacy risk and increases harm from data exposure.

Ssd 3

Medium

Confidence: 89% confidence
Finding: The examples normalize retention of preferences, ownership details, and personal profile information as ordinary memory content, which can encourage overcollection. Example code strongly shapes implementation behavior, so showcasing identity and preference storage without safeguards increases the chance that sensitive personal data will be persisted by default.

Ssd 3

High

Confidence: 98% confidence
Finding: The inserted workflow requires logging every user input and every model response into persistent memory on each turn, regardless of sensitivity, minimization, or consent. In a memory skill, this context makes the issue more dangerous rather than less: the feature directly handles conversational data, so making universal persistence mandatory can capture secrets, personal data, credentials, and regulated content at scale.

Ssd 3

High

Confidence: 97% confidence
Finding: The SOUL.md patch states that memory is mandatory for every dialogue turn and that the agent must always save memory, turning persistent logging into a core identity-level rule. Embedding compulsory persistence in a foundational file is dangerous because it normalizes indiscriminate retention and makes privacy-preserving exceptions difficult or impossible.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal