Back to skill

Security audit

Eternal Memory

Security checks across malware telemetry and agentic risk

Overview

This is mostly a local memory search/indexing skill, but it needs Review because some recurring, executable, and data-flow behavior is under-disclosed.

Install only if you want a local tool that reads and writes your OpenClaw memory workspace. Avoid enabling the suggested cron jobs until you review cross_system_bridge.py behavior, use SKIP_ONNX=1 for offline-only operation, avoid --serve unless you need a localhost embedding API, and treat --no-verify results as untrusted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
bridge_script = os.path.join(TOOLS_DIR, "cross_system_bridge.py")
        if os.path.exists(bridge_script):
            try:
                subprocess.run(
                    [sys.executable, bridge_script, '--mem2evo'],
                    capture_output=True, text=True, timeout=30, cwd=WORKSPACE
                )
Confidence
78% confidence
Finding
subprocess.run( [sys.executable, bridge_script, '--mem2evo'], capture_output=True, text=True, timeout=30, cwd=WORKSPACE )

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises capabilities that imply file access, shell execution, environment access, and possible networking, yet it declares no explicit permissions or user-consent boundaries. In a memory/archival skill, this is dangerous because users may enable recurring indexing or repair operations without understanding that local files and system state can be read, modified, or scheduled for ongoing execution.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The code advertises a local, zero-cloud embedding engine but attempts to initialize a Hugging Face/fastembed model from a cache path, which can trigger model download or dependency-driven external access in some environments. That mismatch is security-relevant because operators may assume no network or third-party artifact retrieval occurs, yet the code path can introduce unreviewed model supply-chain exposure and unexpected outbound access.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
During initialization, the embedder silently walks and reads files from the user's memory directory to fit TF-IDF. Even though this is local-only, it expands data access beyond the obvious task of encoding a provided string and can expose sensitive memory contents to any caller that instantiates the class, violating least surprise and least privilege.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The file exposes a persistent local HTTP server that accepts arbitrary POST input and returns embeddings, which broadens the attack surface beyond an in-process utility. While it binds to 127.0.0.1, local services are still reachable by other local processes, browser-based localhost pivot techniques, or malware, making unintended data processing and service abuse possible.

Description-Behavior Mismatch

Medium
Confidence
73% confidence
Finding
The manifest presents the skill as a self-contained local memory system, but cron mode silently invokes an external cross-system bridge outside that described scope. That mismatch increases risk because operators may not expect this component to trigger unrelated automation, enabling surprise behavior and enlarging the trust boundary.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The code falls back to an HTTP embedding service and sends raw query text to `http://127.0.0.1:19999/v1/embeddings`, which contradicts the skill's 'zero cloud dependency' and local-memory framing. Even though the endpoint is localhost, this still creates a data-flow boundary where sensitive queries may be exposed to another process or a forwarded/proxied service without user awareness.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list is broad and generic, making accidental activation likely during ordinary conversations about memory, vectors, archives, or verification. Because this skill can lead to local tooling, indexing, and background operations, overbroad activation increases the chance of unintended execution in contexts where the user did not request system-level memory management.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill recommends cron-based recurring scans and topology scoring every few minutes or daily, but it does not prominently warn that this creates persistent background monitoring of the workspace and ongoing file access. In a memory system that archives and verifies data, silent persistence materially raises privacy, resource-consumption, and unintended data-retention risks.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The component reads user memory files without disclosure, prompt, or a user-controlled opt-in. In a memory-oriented skill this is contextually related, but the silent automatic access on object creation makes it more dangerous because downstream code may trigger sensitive file ingestion unexpectedly.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The cold-migration routine writes compressed copies of user memory data to a secondary archive location without confirmation, visibility, or policy checks. In a memory-management skill handling potentially sensitive notes, silent duplication increases data exposure surface, retention scope, and forensic persistence if the archive path is less protected or unexpectedly backed up.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The --migrate-exec path performs real filesystem writes to user memory storage by creating gzip archives in the cold archive area, but the CLI provides only a generic label and no explicit confirmation, target path summary, or safety prompt. In a memory-management skill handling user data, this increases the risk of unintended data layout changes, silent storage growth, and operator confusion about whether migration is merely analytical or mutating.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The HTTP fallback transmits user query text to another service without any user-facing notice, consent, or policy control. In a memory/search tool, queries may contain sensitive personal, operational, or proprietary content, so silent transmission can cause privacy leakage or violate user expectations and compliance requirements.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
query = sys.argv[1] if len(sys.argv) > 1 else "记忆系统"
    tier = "all"
    limit = 10
    verify = "--no-verify" not in sys.argv
    
    for arg in sys.argv[2:]:
        if arg.startswith("--tier="):
Confidence
84% confidence
Finding
--no-verify

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.