Spark Memory

Security checks across malware telemetry and agentic risk

Overview

Spark Memory is a disclosed cloud-backed memory skill whose setup, credential storage, and remote API use match its stated purpose.

Install only if you are comfortable with selected conversation, business, and client context being stored and processed by Zellin's cloud service across sessions. Use a unique password for signup, keep the OpenClaw config private, do not store secrets or regulated data, and ask the agent to confirm before remembering sensitive client details or applying remembered rules to high-impact actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Memory PoisoningPersistent Context Injection, Context Window Stuffing, Memory Manipulation
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill instructs the agent to execute shell scripts, read configuration state, and write credentials into local OpenClaw config, yet it does not clearly declare the permissions/capabilities needed. That mismatch reduces transparency and weakens user/admin ability to review or constrain what the skill can do before activation.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The marketed purpose is memory augmentation, but the documented behavior also includes account creation, credential provisioning, local config patching, and gateway restart. This hidden operational scope is dangerous because users or orchestrators may approve a benign-seeming memory skill without realizing it can alter local runtime state and onboard to a third-party service.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README markets persistent memory, cloud-backed storage, nightly reflection, and proactive resurfacing of prior data, but it does not provide a prominent, explicit warning about the privacy implications of ongoing collection and secondary processing of user content. In an agent skill context, users may not realize that routine interactions can be retained, analyzed later, and surfaced in future sessions, increasing the risk of oversharing sensitive business or personal information.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The setup instructions tell the agent to automatically activate memory whenever required environment variables are missing, which can trigger signup and configuration changes based on broad conditions rather than a tightly scoped user request. In context, this is more dangerous because activation involves collecting email/password, writing secrets, and restarting the gateway.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This script sends an organization identifier and a bearer API credential to a remote service, but the file itself provides no disclosure, consent prompt, or trust-boundary warning before transmission. In an agent skill context, hidden outbound data flow is security-relevant because users may execute the script without realizing that identifiers and sensitive credentials are being used in a network request to a third-party endpoint.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script transmits arbitrary caller-provided content and the organization identifier to a remote third-party API, but it provides no runtime disclosure, consent prompt, or guardrails about what kinds of data may be sent. In an agent-skill context, this is risky because the content argument could include sensitive prompts, user data, tool outputs, secrets, or internal context that are silently exfiltrated off-host.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: When auto-configuration is skipped or fails, the script prints the Spark API key and org ID directly to stdout. Secrets displayed in terminal output can be captured by shell history tooling, terminal logging, CI logs, screen sharing, or other local monitoring mechanisms, causing credential disclosure.

External Transmission

Medium

Category: Data Exfiltration
Content: SECTION="${1:-all}" curl -s -X POST "${SPARK_API_URL}/spark-memory-insights" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${SPARK_API_KEY}" \ -d "{\"org_id\": \"${SPARK_ORG_ID}\", \"section\": \"${SECTION}\"}"
Confidence: 93% confidence
Finding: curl -s -X POST "${SPARK_API_URL}/spark-memory-insights" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${SPARK_API_KEY}" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: })) " "$QUERY" "$SPARK_ORG_ID") curl -s -X POST "${SPARK_API_URL}/spark-memory-recall" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${SPARK_API_KEY}" \ -d "$BODY"
Confidence: 93% confidence
Finding: curl -s -X POST "${SPARK_API_URL}/spark-memory-recall" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${SPARK_API_KEY}" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: })) " "$SPARK_ORG_ID" "$CONTENT" "$EPISODE_TYPE" "$IMPORTANCE") curl -s -X POST "${SPARK_API_URL}/spark-memory-record" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${SPARK_API_KEY}" \ -d "$BODY"
Confidence: 94% confidence
Finding: curl -s -X POST "${SPARK_API_URL}/spark-memory-record" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${SPARK_API_KEY}" \ -d

Persistent Context Injection

Medium

Category: Memory Poisoning
Content: - **Business facts:** "We use net-30 payment terms" → `scripts/spark-record.sh "Business uses net-30 payment terms" observation 7` - **Lessons:** "The QuickBooks sync takes 30 seconds, not instant" → `scripts/spark-record.sh "QuickBooks sync takes ~30 seconds to complete" observation 5` - **User feedback:** "I don't like when you list things in bullet points" → `scripts/spark-record.sh "User dislikes bullet-point formatting, prefers prose" user_feedback 8` - **Explicit rules:** "From now on, always send invoices on Monday" → `scripts/spark-record.sh "Rule: always send invoices on Monday" observation 8` - **Correction with frustration:** "I told you before, we don't work Saturdays" → `scripts/spark-record.sh "CORRECTION: Business does not work Saturdays — user has stated this before" user_feedback 9` - **Policy declarations:** "Our policy is net-30 payment terms" → `scripts/spark-record.sh "Policy: net-30 payment terms" observation 8`
Confidence: 90% confidence
Finding: From now on, always

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal