Openclaw Semantic Memory

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed semantic-memory skill that stores and recalls conversation memories, with privacy-sensitive behavior that users should configure deliberately.

Install only if you want persistent agent memory. Review the ~/.openclaw-memory storage location, leave autoCapture and allowPIICapture off unless you intentionally want conversation content saved, use only trusted Qdrant servers, and delete memories you no longer want recalled.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The skill is presented as 'fully local' and 'zero configuration', but the documented behavior includes optional external Qdrant connectivity, persistent storage under the user's home directory, automatic capture of conversation content, and automatic context injection. This is a real security/transparency issue because users may enable or rely on the skill under an incomplete trust model, leading to unintended retention or transmission of sensitive data.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The README gives contradictory statements about whether memory-mode data is persisted to disk. Earlier sections state persistence is enabled by default and stored under ~/.openclaw-memory/, while this later section says memory-mode data exists only during process runtime and must be reindexed after restart. This kind of documentation inconsistency is security-relevant because users may mis-handle sensitive conversation data under a false assumption that it is ephemeral or, conversely, fail to wipe persisted data they did not realize was being retained.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: The skill is described as fully local, but it can connect to a user-configured external Qdrant server. That creates a trust-boundary and data-exposure mismatch: stored memories may leave the local machine despite the local-only claim, which can mislead users into disclosing sensitive information under false assumptions.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: Embeddings initialization may download the model at runtime, which contradicts the claim of fully local operation and no external dependency. This can cause undisclosed network access and may expose metadata such as IP address, environment details, or usage timing to external model hosts.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill automatically captures user messages after agent execution and stores them as long-term memory without requiring an explicit save action. In a memory plugin, this is especially sensitive because conversations often contain secrets, personal data, or confidential context that users may not expect to be retained persistently.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The lockfile includes @qdrant/js-client-rest, which indicates the skill may communicate with a Qdrant server over HTTP despite the description claiming 'fully local, no API keys'. This is a security-relevant trust and data-handling mismatch because users may provide sensitive conversation context assuming it never leaves the local environment, while a REST-backed vector store can send that data to another process, container, host, or network endpoint if configured.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The changelog advertises automatic conversation recording and automatic memory injection, both of which can materially affect user privacy and prompt/data flow, but it does not clearly warn users about the data sensitivity and behavioral consequences of enabling these features. In a memory skill, these capabilities can lead to unintended retention of sensitive conversation content and reintroduction of prior context into later prompts, increasing privacy leakage and prompt-injection surface.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Automatic capture combined with optional persistent disk storage occurs without any user-facing confirmation or warning. This undermines informed consent and can lead to silent retention of sensitive user content, especially in a tool specifically designed to remember conversational context.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: Downloading model data at runtime without user-facing disclosure is a transparency and privacy issue because it performs unexpected network activity. While not directly a code-execution flaw, it can violate user expectations in restricted or sensitive environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal