Back to plugin

Security audit

Nessie

Security checks across malware telemetry and agentic risk

Overview

This Nessie connector appears legitimate, but it can access sensitive personal and team context and can modify or delete Nessie data, so users should review its scope before installing.

Install only if you want OpenClaw connected to Nessie as a durable memory layer. Before enabling it for a team, confirm which Nessie sources are shared, who can read teammate sessions, and whether agents should ask before saving or updating contexts. Treat delete operations as sensitive even though the skill says conversation deletion is previewed and recoverable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest and top-level description present the skill as a search/read interface, but the body explicitly instructs the agent to perform write operations such as creating or updating contexts. That mismatch undermines least-privilege and informed consent: a host or user may enable the skill expecting read-only behavior while the agent is guided to persist data changes.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill description says it searches and reads the user's library, but later documents destructive operations including deleting synced conversations. This is dangerous because operators may authorize the skill under a read-only trust model while the instructions enable irreversible or hard-to-audit data removal.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation guidance is so broad that many normal requests about prior work, notes, projects, or relationships could trigger the skill automatically. In this context, broad triggering is risky because the skill can access sensitive personal and team-shared memory sources, increasing the chance of over-collection or use without clear user intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Telling the agent to treat the user's natural-language request as the interface, without firm boundaries, encourages implicit invocation for loosely related prompts. Because the skill reaches into saved contexts, transcripts, and team-shared sources, unclear triggering materially raises privacy and scope-creep risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill text mentions team scope and reading teammate sessions, but the user-facing description does not prominently warn that teammate-shared sources may be searched and read. That weak disclosure is dangerous in a memory skill because users may ask innocent first-person questions and not realize shared team data could be pulled in by default.

VirusTotal

65/65 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
index.js:140
Evidence
apiKey = resolveApiKeyFromMcpServer(server) || process.env.NESSIE_API_KEY || "";