Back to skill

Security audit

Memorist Agent

Security checks across malware telemetry and agentic risk

Overview

This memoir skill is not clearly malicious, but it handles very sensitive family stories while granting broad messaging, local persistence, installation, and agent-routing powers that are not scoped or disclosed tightly enough.

Install only if you are comfortable with the skill storing detailed family history locally, modifying OpenClaw messaging configuration, creating dedicated auto-reply agents, installing transcription tools, and sending story content through WhatsApp. Prefer relay/local export mode for sensitive stories, remove or avoid unused web_search/fetch capability if possible, and make sure every narrator explicitly agrees to being contacted, recorded, reminded, and having their stories shared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (46)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill repeatedly claims it is local-first and that nothing is uploaded except explicitly triggered sends or shares, yet it grants generic network capabilities through fetch and web_search. That mismatch expands the trust boundary: a future prompt path, reference file, or skill update could exfiltrate highly sensitive memoir and family data without the narrow user intent implied by the documentation.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Declaring web_search for a memoir-capture skill is unjustified by the core functionality, and the documentation even states it is not used. Unused high-privilege capabilities are a security risk because they create unnecessary attack surface and could be abused to send sensitive contextual data to external services or incorporate untrusted web content into a highly personal workflow.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The privacy text says network calls occur only when explicitly triggered, but the skill also supports auto-reply agents and proactive reminder messages, which can send messages without a per-message explicit user action. This is a consent and transparency problem, especially because the content involves intimate family history and could be transmitted automatically once configured.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill advertises a local-first, privacy-protected workflow, yet the share flow explicitly offers sending memoir content over WhatsApp, which transmits sensitive family narratives to an external third-party service. This creates a clear privacy and trust mismatch that can expose highly personal data outside the local environment users were led to expect.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The documented use of `whatsapp_send_message` introduces outbound transmission of memoir content containing potentially sensitive personal and family information. In the context of a memoir-capture skill marketed as privacy-protected, this external messaging capability is risky because it expands the data exposure surface without strong justification or safeguards.

Context-Inappropriate Capability

High
Confidence
88% confidence
Finding
The setup flow instructs the agent to install local transcription software via pip or package managers and edit local Openclaw configuration, which causes persistent system changes and introduces supply-chain and environment-modification risk. In an agent context, auto-install behavior is dangerous because it can execute network-fetched code on the host without clear user approval, even if the goal is legitimate.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The narrator agent instructions include operational actions such as running ffmpeg conversions and especially restarting the Openclaw gateway. Giving a user-facing per-narrator agent permission or guidance to perform service-management actions unrelated to interviewing creates an unsafe expansion of capability that could disrupt messaging for all users or be abused through prompt injection to trigger denial of service.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The workflow directs the agent to notify a third party ('Jimmy') when a narrator has not responded to reminders, disclosing participation status and responsiveness without any stated consent or need-to-know basis. In a memoir/oral-history context, silence and engagement patterns are personal behavioral data, so sharing them externally creates a privacy leak and can undermine trust with vulnerable family members.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill behavior is materially narrowed from a general family memoir assistant into a tool for eliciting memories specifically about the user and the system owner. That hidden shift changes who the interview is about and can induce collection of relationship-specific personal data under a broader, less specific description, creating a transparency and consent gap.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
Requiring the agent to read owner.json and center interviews on the owner introduces undisclosed data use and a hidden participant in the interaction. In a memoir context, this is sensitive because the agent may pull in identity details about the owner and steer the user into sharing intimate information about that person without clear notice.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill behavior is materially broader and different from the stated purpose: instead of helping capture family members' life stories generally, it explicitly reframes the interaction around shared memories between the user and the system owner. That creates an undisclosed data-collection scope shift and may induce users to reveal relationship history or sensitive memories tied to the owner without informed consent.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
Requiring the agent to read owner.json and center the conversation on the system owner introduces hidden context about a third party and directs the interview toward that person without transparent disclosure. In a memoir/privacy-sensitive skill, this increases the risk of covert profiling, relationship mapping, and collection of sensitive personal data about both the user and the owner.

Description-Behavior Mismatch

Low
Confidence
87% confidence
Finding
The file documents persistent storage of story fragments, profiles, entities, and session logs, but that persistence is not clearly surfaced in the high-level behavior description to the user. For a memoir agent collecting intimate family history, undisclosed retention materially affects privacy expectations and informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The share flow sends memoir excerpts over WhatsApp without any user-facing warning that the data will be transmitted to and potentially retained by a third-party platform. Because the content concerns family life stories and may include intimate personal details, the lack of informed consent materially increases privacy risk.

Missing User Warnings

Low
Confidence
91% confidence
Finding
Recording `sharesHistory` with recipient and sharing metadata in `profile.json` creates an additional local record of sensitive relationship and communication data, but the user is not informed that this metadata will be stored. Even if kept locally, hidden retention of recipient details can surprise users and undermine privacy expectations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow instructs the agent to send sensitive life-story prompts over WhatsApp to a narrator's phone number without any explicit consent check, privacy notice, or verification that the narrator agreed to be contacted on that channel. Because the skill handles personal history and family data, this creates a real privacy risk: messages may be sent to the wrong number, to an unconsenting recipient, or through a third-party platform in a way users and narrators did not knowingly approve.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
These instructions combine software installation and local configuration changes without an explicit warning, confirmation gate, or least-privilege guidance. That is risky because users may not realize the agent is modifying their machine, and the commands could install unreviewed dependencies or alter runtime behavior in a persistent way.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The despawn flow deletes an agent and removes its binding with no confirmation, dry run, or authorization safeguard. In a multi-user or error-prone operational context, an accidental or socially engineered invocation could cut off a narrator's dedicated session and alter message routing unexpectedly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow explicitly instructs the agent to use 'perfect memory' across prior sessions and to track intimate life domains, but it does not require transparent notice, consent, retention limits, or controls over reuse of highly personal autobiographical data. In a memoir/interview skill handling sensitive family history, health, relationships, beliefs, and hardship, this creates a real privacy and profiling risk if users do not understand that details will persist and be surfaced later.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document recommends delivering memoir-derived comics via the WhatsApp API, which implies transmitting highly personal family interview content and generated summaries to a third-party platform. In a privacy-focused memoir skill handling sensitive biographical data, omitting explicit consent, disclosure, data-handling boundaries, and an opt-in warning creates a real privacy and compliance risk rather than a purely theoretical concern.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow tells the agent to save language and reply-format preferences to profile.json but does not instruct the agent to disclose that storage or obtain consent. Even seemingly low-sensitivity preferences are personal data, and undisclosed persistence is risky in a privacy-positioned, local-first memoir tool because it conflicts with user expectations and may expand into broader profile storage over time.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The re-engagement design automates follow-up messages based on inactivity windows without first warning narrators that silence may trigger future contact. In a memoir interview setting, especially with older or emotionally vulnerable users, unsolicited repeated contact can feel intrusive, reveal the existence of the service to others who access their device, and create consent and harassment concerns.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document explicitly recommends sending highly sensitive memoir interview context, family history, and session summaries to third-party LLM providers, but it does not pair that design with clear consent, disclosure, retention, or provider-side data handling safeguards. Because this skill processes intimate family narratives over consumer messaging channels, omission of user-facing privacy controls materially increases the risk of unauthorized disclosure or unexpected external processing of personal data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This section encourages the agent to explore trauma, loss, abuse, and other highly sensitive topics and even describes post-interview support behaviors, but it does not pair that guidance with clear user-facing safety limits such as 'not a therapist,' crisis escalation instructions, or advice to avoid pressing on acute distress. In a memoir-interview skill aimed at older adults and family storytelling, this can normalize quasi-therapeutic probing and create a risk of emotional harm or unsafe reliance on the AI during moments of distress.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document recommends multiple cloud TTS services and provides ready-to-use API examples without warning that memoir text and possibly highly sensitive family-history content will be transmitted to third-party providers. In this skill's context, the data may include private stories, health details, family conflict, or identifiable voice content, so omission of privacy and retention guidance can lead to unintended disclosure and regulatory/compliance issues.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
references/spawn-despawn.md:52