Is benos-memory-core safe?

https://clawhub.ai/benmjohnson69/benos-memory-core

82
SAFE

benos-memory-core is a minimal stub skill with virtually no executable logic — its index.js returns a static success message and the SKILL.md defines a simple JSON schema for agent session state. No prompt injection, data exfiltration, or malicious behavior was detected. The primary concern is the native entry point that could be weaponized in future updates and the potential for stored state to influence agent behavior across sessions.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (8)

LOW Home directory file path in SKILL.md -10

The SKILL.md instructs the agent to read/write state at ~/.openclaw/workspace/benos/runtime/state.json and related files under benos/runtime/. While this is within a designated workspace, it references the user's home directory and could influence agent behavior through stored state values.

LOW Encourages direct file editing by agent -5

SKILL.md tells the agent to 'Edit files directly for manual repairs or migration as needed', giving broad license for filesystem writes in the runtime directory without specific guardrails.

LOW Native entry point with stub implementation -15

The skill registers as type 'native' with an index.js entry point that will be executed by the host runtime. The current implementation is a harmless stub, but the native execution pathway means future updates could introduce arbitrary code that runs automatically.

INFO Minimal code with no dependencies 0

The skill contains only a single index.js file with 9 lines of code, no package.json dependencies, no build scripts, and no external imports. The attack surface is very small.

LOW State schema could store sensitive session data -10

The defined schema includes fields like activeInitiatives, openLoops, recentDecisions, and notes. Depending on what an agent stores here, this file could accumulate sensitive user data that persists on disk without encryption.

INFO Single expected registry connection during install 0

The only non-local network connection during installation was to 216.150.1.1:443, consistent with the ClawHub registry download. No unexpected connections were observed.

LOW Potential for state-based agent manipulation in future versions -20

As a 'memory core' module, this skill could influence agent behavior across sessions through stored state. While the current version is benign, a malicious update could pre-populate state.json with crafted instructions that guide agent decisions (e.g., poisoned 'recentDecisions' or 'notes' entries).

INFO Lock file references different skill name -10

The .clawhub/lock.json references 'academic-research-hub' rather than 'benos-memory-core', suggesting the lock file was inherited from a previous install or shared workspace. This is likely a platform artifact rather than a security concern.