OpenClaw Agent 本地知识库 + 自动记忆 & 文件管理

Security checks across malware telemetry and agentic risk

Overview

This skill is a real local memory/vault automation system, but it grants broad persistent access and can automatically send, move, delete, and repair data without enough scoping or user control.

Review this carefully before installing. Use it only with a vault that is safe to index and modify, disable cron/self-healing until you have inspected the scripts, avoid storing secrets in synced notes or tool outputs, configure only trusted local or remote LLM/embedding endpoints, and do not enable antibody auto-fix unless repair commands are manually reviewed and constrained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (32)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: return False, "auto_fix needs job_id, skipped" try: result = subprocess.run( ["powershell", "-Command", auto_fix], capture_output=True, text=True, timeout=30, encoding="utf-8", errors="replace"
Confidence: 99% confidence
Finding: result = subprocess.run( ["powershell", "-Command", auto_fix], capture_output=True, text=True, timeout=30, encoding="utf-8", errors="replace" )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: evo_script = Path(WORKSPACE) / "scripts" / "evolution_engine.py" if evo_script.exists(): result = subprocess.run( [sys.executable, str(evo_script)], capture_output=True, text=True, timeout=30, encoding="utf-8", errors="replace"
Confidence: 82% confidence
Finding: result = subprocess.run( [sys.executable, str(evo_script)], capture_output=True, text=True, timeout=30, encoding="utf-8", errors="replace"

subprocess module call

Medium

Category: Dangerous Code Execution
Content: req_file = SKILL_DIR / "requirements.txt" if req_file.exists(): print(" Installing dependencies...") r = subprocess.run([sys.executable, "-m", "pip", "install", "-r", str(req_file)], capture_output=True, text=True) if r.returncode == 0: print(" ✅ Dependencies installed")
Confidence: 82% confidence
Finding: r = subprocess.run([sys.executable, "-m", "pip", "install", "-r", str(req_file)], capture_output=True, text=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if not DOCKER_COMPOSE.exists(): return False try: r = subprocess.run(["docker", "compose", "-f", str(DOCKER_COMPOSE), "up", "-d"], capture_output=True, text=True, timeout=60) if r.returncode == 0: print(" ✅ Qdrant started via docker-compose")
Confidence: 87% confidence
Finding: r = subprocess.run(["docker", "compose", "-f", str(DOCKER_COMPOSE), "up", "-d"], capture_output=True, text=True, timeout=60)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The health-check tool is expected to inspect and report state, but this block elevates it into an automatic repair engine that executes PowerShell from antibody data. In context, that is especially dangerous because the antibodies are externally stored, writable configuration and therefore a realistic persistence and execution vector.

Context-Inappropriate Capability

Medium

Confidence: 80% confidence
Finding: Launching `evolution_engine.py` adds behavior outside the stated health-check purpose and creates another execution path from a workspace-controlled script. This increases the blast radius of compromise because a local attacker only needs the health check to run to gain code execution through the auxiliary script.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The code sends generated alert content to an externally configured WeChat webhook without validation, redaction, or an allowlist. Even though the purpose is operational alerting, this creates a real data egress path and could expose internal health, failure states, and other potentially sensitive telemetry to an unintended recipient if the webhook is misconfigured or maliciously changed.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The README prominently advertises automatic syncing of an Obsidian vault, observation capture from agent tool calls, compression, backups, and periodic maintenance, but it does not clearly warn users that potentially sensitive notes, conversation artifacts, and operational metadata may be continuously collected, stored, and possibly processed by external services. In a memory/persistence skill, this omission is security-relevant because users may enable hooks and cron jobs without understanding the privacy and retention implications.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation promotes automated archiving, classification, cleanup, health monitoring, and self-healing, but it does not clearly warn that these background actions may modify user knowledge-base data over time. In a skill that manages an Obsidian vault and derived memory stores, omission of change-management and backup warnings can lead to unintended data alteration, deletion, or hard-to-audit automated edits.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation promotes automated archiving, classification, cleanup, health monitoring, and self-healing, but it does not clearly warn that these background actions may modify user knowledge-base data over time. In a skill that manages an Obsidian vault and derived memory stores, omission of change-management and backup warnings can lead to unintended data alteration, deletion, or hard-to-audit automated edits.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The code packages examples extracted from local session logs and sends them to an external LLM API, authenticated with a bearer token, without any consent, redaction, or allowlist checks. Session logs can contain secrets, internal URLs, credentials, incident details, or proprietary data, so this creates a realistic data exfiltration and compliance risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script automatically writes recent session summaries, vault change metadata, and user preference content into persistent markdown snapshots under the vault. This creates additional durable copies of potentially sensitive conversational and preference data without any consent, minimization, or access-control checks, increasing exposure if the vault is synced, shared, or later inspected by unintended parties.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Candidate vault file contents are sent to an LLM gateway for distillation, but the tool provides no explicit runtime notice, consent prompt, or content-classification guard before transmitting potentially sensitive notes. Even though the gateway is configured to localhost, it is still an external service boundary that may log, proxy, or forward sensitive content depending on deployment.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The --force path lets an operator send the contents of any selected vault file directly to the LLM gateway without an explicit warning or confirmation about data transmission. This is more dangerous than the automatic flow because it can be used on arbitrary files, including sensitive notes that may not have passed normal filtering heuristics.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This function transmits caller-supplied text to an external or at least separate LM Studio HTTP endpoint without any consent, classification, or redaction checks in this module. If the text contains secrets, proprietary content, or personal data, the skill can exfiltrate sensitive material outside the immediate process boundary and create unexpected data exposure.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code automatically downloads a model from a remote URL and writes it to disk on first use, with no integrity verification, signature check, or explicit user approval. This introduces a supply-chain risk: a compromised remote artifact, MITM in an unsafe environment, or unexpected large download can lead to untrusted model ingestion and persistent local changes.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script sends extracted session content to embedding and chat-completion services, including user prompts and conversation-derived narratives, without any consent gate or disclosure in the execution path. In a memory-extraction skill, this is particularly sensitive because the data being processed is explicitly conversational history and potentially personal or confidential information.

Missing User Warnings

High

Confidence: 97% confidence
Finding: Automatic remediation occurs with no consent, preview, or warning, even though the action can execute arbitrary PowerShell. In this context, the lack of user confirmation materially increases the risk that a compromised or mistaken antibody definition causes destructive system changes silently.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The orchestrator can execute multiple maintenance scripts, including a destructive cleanup mode with '--execute', based only on CLI cycle selection and internal configuration, without any confirmation, allowlist gating beyond the DAG, or safety interlock. In environments where the orchestrator may be triggered automatically or by less-trusted operators, this increases the risk of unintended destructive actions and broadens the blast radius of any compromised subordinate script.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script records tool inputs, tool outputs, and user prompts to a persistent local JSONL queue, which can capture sensitive data such as secrets, private prompts, file contents, or API responses. In an agent/tooling context, this telemetry is especially risky because tool I/O often contains credentials and confidential user data, and the code provides no consent, redaction, or access-control protections beyond truncation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Queued observation data is not only stored but also forwarded for additional processing and indexing, increasing the privacy and data-exposure surface. In this skill context, indexing captured tool traffic into another system can amplify impact by making sensitive content easier to search, retain, and reuse, especially if users were not clearly informed this secondary processing occurs.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script sends up to 300 characters of file content from inbox documents to an external/local Gateway API for classification without explicit consent, warning, or an opt-in control. In a note vault context, inbox files may contain secrets, personal data, or proprietary content, so even partial exfiltration to another service materially increases confidentiality risk.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: `scan_temp_files()` is expected to only enumerate cleanup candidates, but it also calls `d.rmdir()` and deletes directories immediately, even during dry-run mode. This violates the safety model advertised by the script, can cause unintended state changes during a nominal scan, and may surprise operators or higher-level automation that assumes no destructive action occurs unless `--execute` is provided.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The function sends raw user queries to embedding/vector backends, which may expose sensitive prompts, secrets, or personal data to external or separately hosted services without any visible disclosure or consent mechanism. In a memory system, users are especially likely to submit private content, so silent transmission increases privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: This path transmits user queries to the Mem0 backend without any visible notice to the user. Because the script is designed around memory retrieval, the queried content may contain personal preferences, project details, or sensitive operational context, making undisclosed transmission a meaningful privacy/security issue.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal