Is azrijamil/fsxmemory safe?

https://github.com/openclaw/skills/tree/main/skills/azrijamil/fsxmemory

78
CAUTION

The fsxmemory skill is a documentation-only markdown file with no embedded malicious code, prompt injection, or hidden instructions. It is clean at the skill layer. However, it instructs agents to globally install two unaudited external packages — @foresigxt/foresigxt-cli-memory via npm and qmd directly from GitHub — creating a supply chain attack surface that is outside the scope of this skill's files. The vault design, while useful for agent memory persistence, accumulates sensitive cross-session context in plaintext and inherits all risks of the external packages it depends on.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 73/100 · 25%
Code Execution 52/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 76/100 · 5%

Findings (7)

HIGH Global npm package install of unaudited third-party tool -30

SKILL.md instructs agents to run 'npm install -g @foresigxt/foresigxt-cli-memory'. This installs a global npm package owned by 'Foresigxt', a party unrelated to the skill submitter (azrijamil). The package's postinstall scripts, runtime behavior, and supply chain integrity are not audited by this review. A future compromise of this npm package would silently affect all users who followed these instructions.

HIGH Direct GitHub repository install bypasses npm registry scanning -18

SKILL.md instructs 'bun install -g github:tobi/qmd' — installing a package directly from a GitHub URL. This bypasses npm registry security scanning, provenance attestation, and version pinning. The installed commit is not specified, meaning any future push to the default branch of github.com/tobi/qmd would be installed by agents following these instructions.

MEDIUM Vault accumulates sensitive agent context across sessions -15

The fsxmemory vault design stores relationship contacts (with names and contact details), decisions, procedural how-to guides, episodic memories, and session handoffs in plaintext markdown files. In a production agent environment, this vault would accumulate PII and sensitive operational context. If the external npm package is compromised, it would have direct read access to all stored vault content.

MEDIUM .env file auto-discovery reads workspace environment files -12

The CLI tool automatically reads .env files from the workspace root to discover FSXMEMORY_PATH. Any secrets co-located in .env (API keys, tokens, etc.) would be parsed by the tool during every invocation. SKILL.md explicitly shows creating .env files with 'echo FSXMEMORY_PATH=...' and 'cat > .env << EOF', normalizing .env file usage for path configuration.

LOW Post-install canary file reads detected without process attribution -10

auditd PATH records show reads of all six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) at timestamp 1771933954.072, after skill installation completed. The canary integrity check reports files intact (not modified), but the reading process cannot be definitively attributed to the audit framework vs. the openclaw executor vs. a side effect of the installed skill or npm package.

LOW Normalizes pattern of agents installing unreviewed global software -5

The skill, while itself benign, teaches agents to install global CLI tools as a prerequisite for functionality. This pattern, if normalized across multiple installed skills, creates a systemic risk where agents routinely execute global install commands without user confirmation, lowering the bar for a future malicious skill to exploit the same behavior.

INFO lock.json contains reference to unrelated skill (test environment artifact) 0

.clawhub/lock.json shows 'academic-research-hub' v0.1.0 installed at timestamp 1770957475341. This appears to be a test environment artifact from the skill sandbox, not a dependency or behavior of fsxmemory itself.