Prompt injection instructions
Warn
- Finding
- Prompt-injection style instruction pattern detected.
Memorist Agent
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Prompt-injection indicators were detected in the submitted artifacts (system-prompt-override); human review is required before treating this skill as clean.
This skill appears aligned with its stated memoir-interview purpose. Before installing, make sure you are comfortable storing family stories under ~/.openclaw/memorist_agent, using WhatsApp or other messaging accounts for interviews, and optionally creating persistent narrator agents with /spawn. Prefer allowlists over open messaging policies, review optional package installs, and use /despawn when you want auto-reply to stop. ClawScan detected prompt-injection indicators (system-prompt-override), so this skill requires review even though the model response was benign.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
The agent has tools that could read/write local memoir data and send messages, and it is also allowed to access the web if invoked.
Why it was flagged
The skill grants local file, WhatsApp sending, and general network/search tools. File and WhatsApp tools are central to the memoir workflow; fetch/web_search are less clearly explained by the provided workflows.
Skill content
allowed-tools:\n - file_read\n - file_write\n - whatsapp_send_message\n - fetch\n - web_search
Recommendation
Use the skill for its documented workflows, and avoid placing unrelated sensitive files in its working directories. Consider limiting web tools if your OpenClaw environment supports per-skill tool restrictions.
What this means
If enabled, the agent may interact through your messaging accounts and iMessage setup may require broad macOS permissions.
Why it was flagged
iMessage integration requires elevated local access and uses the user's messaging account, which is expected for auto-reply but sensitive.
Skill content
iMessage auto-reply | macOS only. `channels.imessage.enabled: true`, narrator's phone/email in `channels.imessage.allowFrom`, Full Disk Access granted to terminal.
Recommendation
Prefer narrow allowlists such as allowFrom, enable only the channels you need, and understand the consequences before granting Full Disk Access.
What this means
Installing optional transcription support may add third-party software to your machine.
Why it was flagged
The optional voice transcription setup installs third-party packages without pinned versions. This is purpose-aligned for transcription, but it relies on external package sources.
Skill content
/memorist_agent setup-stt ... `arm64` → run `pip3 install mlx-whisper` ... `x86_64` / Linux → run `brew install openai-whisper` or `pip3 install openai-whisper`
Recommendation
Review and approve package installs manually if possible, and install from trusted package managers or pinned versions where available.
What this means
Family stories, names, places, dates, and raw answers are stored locally and reused in later sessions.
Why it was flagged
The skill maintains persistent memoir memory, entity maps, sessions, and fragments, then reuses them to guide future interviews. This is the core purpose, but it contains sensitive family information.
Skill content
Load `profile.json`, `entities.json`, `sessions.json` ... Load all existing fragments for this domain ... Merge `entitiesFound` from this session into `entities.json`
Recommendation
Treat ~/.openclaw/memorist_agent as sensitive personal data, back it up carefully if needed, and delete it when you no longer want the memoir data retained.
Medium
What this means
After you run /spawn, the narrator may interact directly with an agent through messaging without each reply being manually reviewed by you.
Why it was flagged
The skill can create a persistent dedicated agent that automatically handles future messages from a narrator. The workflow is disclosed and includes despawn steps, but it is a persistent autonomous behavior users should understand.
Skill content
`/memorist_agent spawn` ... Create a dedicated, isolated Openclaw agent for one narrator ... all messages from the narrator's WhatsApp, iMessage, or Telegram are routed directly to their personal agent via a peer-level binding
Recommendation
Use /spawn only for narrators who understand the arrangement, verify the peer binding is limited to the intended phone/user ID, and use /despawn when auto-reply is no longer desired.