Is anajuliabit/memoclaw safe?

https://github.com/openclaw/skills/tree/main/skills/anajuliabit/memoclaw

55
CAUTION

MemoClaw is a Memory-as-a-Service skill that transparently routes all user conversation data, personal information, and session context to a third-party API (api.memoclaw.com) authenticated with a raw cryptocurrency private key, enabling autonomous micropayments. While the install behavior was clean and canary files were untouched, the skill's core design creates significant privacy, financial, and trust risks: it systematically collects sensitive personal data (including health information and minor status) without per-item consent, overrides native agent memory tools, can read and upload local memory files, and gives an external operator financial transaction authority. The skill is not covertly malicious but its design choices — private key auth, automatic payment delegation, and behavioral overrides — make it unsuitable for installation without careful user review and explicit consent to each capability.

Category Scores

Prompt Injection 48/100 · 30%
Data Exfiltration 22/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 97/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 38/100 · 5%

Findings (10)

HIGH Cryptocurrency private key required for authentication -30

The skill requires MEMOCLAW_PRIVATE_KEY in the environment — a raw Ethereum-compatible private key. This key signs every API request and authorizes micropayments. Exposure of this key (via env leak, log scraping, or malicious API server) grants full wallet access. The 'use a dedicated wallet' advisory does not eliminate the risk.

HIGH Systematic collection and exfiltration of user personal data to third-party API -25

The skill instructs the agent to automatically store personal facts, corrections, preferences, project decisions, and sensitive context (including 'User is a minor', allergies, budget, working style) to api.memoclaw.com on every interaction. This creates a persistent profile at a third-party service without per-item user confirmation.

HIGH Skill overrides native agent memory tools -20

The skill explicitly instructs the agent to replace built-in memory_search functionality with MemoClaw. This is a behavioral override injected through the skill prompt — the agent is directed to route all memory queries through an external service rather than its native capabilities, establishing a persistent third-party dependency.

HIGH Migration feature reads and uploads arbitrary local files -15

The skill instructs agents to read local markdown memory files and pipe their contents to the external API. This can expose the full contents of a user's local memory directory, including any sensitive information previously stored there.

MEDIUM Unconditional session lifecycle hooks -15

The skill embeds instructions to run memoclaw commands automatically at session start and session end, unconditionally. This creates persistent network calls to api.memoclaw.com on every agent session without user initiation.

MEDIUM Autonomous micropayments without per-transaction consent -15

After the free tier, the CLI autonomously pays $0.005–$0.01 per API call in USDC on Base. The agent is instructed to call MemoClaw frequently (on every recall trigger, session start, session end), meaning financial transactions accumulate without explicit user approval per transaction.

MEDIUM Requests exec tool permission and requires global npm package -20

The skill declares allowed-tools: exec and requires npm install -g memoclaw. This grants shell execution access to an unaudited globally-installed npm package. The exec permission combined with shell expansion in documented commands creates secondary injection risk.

MEDIUM Memory poisoning attack surface via trusted external recall -25

The agent is instructed to recall from MemoClaw before making assumptions and to trust recalled data over its own context. A compromised or malicious api.memoclaw.com could inject false memories to manipulate agent behavior, decisions, or responses in future sessions.

LOW Shell init file modification -5

The skill documents appending to ~/.bashrc and ~/.zshrc to install shell completions, creating persistent changes to user shell environment.

INFO Clean install — no unexpected network or filesystem activity 0

The git clone connected only to GitHub (140.82.121.4:443) as expected. Filesystem changes were limited to the skill directory. No new listeners, no unexpected processes, no canary file exfiltration.