Is alekhm/aister-vector-memory safe?

https://github.com/openclaw/skills/tree/main/skills/alekhm/aister-vector-memory

79
CAUTION

This skill is a legitimate vector memory system for semantic search using PostgreSQL, pgvector, and a HuggingFace embedding model. No malicious code or active exploitation was detected. However, it carries meaningful risk: it requires root privileges for installation, runs a persistent background service, indexes user memory files into a database, and has a configurable embedding URL that could be redirected for data exfiltration if environment variables are tampered with.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (10)

HIGH Requires root/sudo privileges for installation -12

The INSTALL.md instructs users to run sudo for installing system packages (postgresql-16-pgvector) and creating PostgreSQL databases/extensions. This gives the installation process elevated access to the entire system.

HIGH Persistent background Flask web service -10

The embedding_service.py runs as a persistent background daemon via nohup, binding to port 8765. While it binds to 127.0.0.1 (localhost only), it increases the persistent attack surface and runs indefinitely.

MEDIUM Configurable embedding URL enables potential exfiltration -12

The EMBEDDING_SERVICE_URL environment variable defaults to http://127.0.0.1:8765 but can be changed to any URL. If redirected to an external server, all user memory content sent for embedding generation would be transmitted externally. This is a design risk rather than active exploitation.

MEDIUM User memory files read and stored in database -8

memory_reindex.py reads MEMORY.md, IDENTITY.md, and USER.md from the user's workspace directory, chunks them, and stores full text content in PostgreSQL. These files may contain personal preferences, conversation history, and private information.

MEDIUM Shell configuration modification for autostart -5

INSTALL.md instructs users to append a process-checking autostart block to ~/.bashrc, permanently modifying the user's shell environment to launch the embedding service on every login.

MEDIUM Combination attack vector with environment-modifying skills -15

If another installed skill can modify environment variables or the ~/.config/vector-memory/env file, it could silently redirect the embedding service URL to an attacker-controlled server, enabling exfiltration of all indexed user memory content without any visible change in behavior.

LOW First-run model download from HuggingFace -5

On first execution, sentence-transformers downloads the intfloat/e5-large-v2 model (~1.3GB) from HuggingFace. This is legitimate ML behavior but introduces supply-chain trust in the model hosting platform.

LOW External social media link in documentation -5

SKILL.md and README.md include a link to https://www.moltbook.com/u/Aister encouraging users to 'follow Aister on Moltbook'. While not a prompt injection, it introduces an external reference in skill documentation.

INFO Ecosystem integration references -5

SKILL.md states 'This skill is integrated with AGENTS.md and TOOLS.md' suggesting it expects to operate within a broader Aister ecosystem. These files are not included in the skill, so no direct injection occurs.

INFO Clean installation with no anomalous behavior -5

Installation monitoring showed no unexpected network connections, process spawning, or filesystem modifications outside expected paths. All network activity traced to OS-level services and GitHub clone.