Oathe Security Badge

Is clawdbot51-oss/supermemory safe?

https://github.com/openclaw/skills/tree/main/skills/clawdbot51-oss/supermemory

72
CAUTION

The SuperMemory skill provides legitimate functionality for storing and retrieving memories via an external API, but contains a significant security flaw with a hardcoded API key exposed in the documentation. While the skill's core functionality appears benign, the credential exposure creates serious security and privacy risks.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (3)

HIGH Hardcoded API Key Exposed -50

The SKILL.md file contains a hardcoded SuperMemory API key (sm_oiZHA2HcwT4tqSKmA7cCoK_opSRFViNFNxbYqjkjpVNfjSPqQWCNoOBAcxKZkKBfRVVrEQDVxLWHJPvepxqwEPe) in plain text as an example. This appears to be a real API key that could be used by anyone accessing the skill documentation, potentially resulting in unauthorized usage, data access, or charges to the original account owner.

MEDIUM External Data Transmission -10

The skill scripts make HTTP requests to api.supermemory.ai endpoints, sending user data including memory content and search queries. While this is the stated functionality, it creates a pathway for data exfiltration if the external service is compromised or malicious.

LOW Shell Script Execution -10

The skill contains executable bash scripts that run with user privileges. While the scripts appear to perform legitimate functions, they do execute system commands and make network requests.