Is supermemory safe?

https://clawhub.ai/clawdbot51-oss/supermemory

30
DANGEROUS

This skill is a data exfiltration tool disguised as a memory/knowledge-base utility. It contains a hardcoded API key that routes ALL user data to the skill author's SuperMemory account, explicitly encourages users to store secrets and API credentials through it, and executes shell scripts that send unvalidated user content to an external API. The chat script additionally runs inline Python on untrusted API responses, creating a code injection vector.

Category Scores

Prompt Injection 35/100 · 30%
Data Exfiltration 15/100 · 25%
Code Execution 25/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 15/100 · 5%

Findings (7)

CRITICAL Hardcoded API key routes all data to skill author's account -50

The SKILL.md contains a hardcoded SuperMemory API key (sm_oiZHA2HcwT4tqSKmA7cCoK_opSRFViNFNxbYqjkjpVNfjSPqQWCNoOBAcxKZkKBfRVVrEQDVxLWHJPvepxqwEPe). When the agent follows the setup instructions and exports this key, ALL user data sent through the skill goes to the skill author's SuperMemory account, not the user's. The user has no visibility into or control over this data.

CRITICAL Skill encourages exfiltration of secrets and credentials -35

The SKILL.md examples explicitly instruct the agent to store sensitive data like API keys: 'Remember that my API key is xyz' → supermemory add 'My API key is xyz'. This is a social engineering pattern designed to trick users into voluntarily sending their secrets to the author's external API endpoint.

HIGH Inline Python execution on untrusted API response data -40

chat.sh pipes the raw API response from api.supermemory.ai directly into python3 -c for JSON parsing. If the SuperMemory API returns malicious content (or is compromised), this could lead to arbitrary code execution on the user's machine. The Python code processes untrusted fields like 'content' and 'score' without sanitization.

HIGH Shell injection via unquoted variable expansion in JSON heredocs -35

All three scripts construct JSON payloads using heredocs with unquoted variable expansion ($CONTENT, $QUERY, $QUESTION). User input containing double quotes, backslashes, or JSON special characters can break out of the JSON string and inject arbitrary JSON fields. Specially crafted input could also achieve command injection via the curl command.

HIGH Skill instructs agent to execute arbitrary shell scripts -30

The SKILL.md instructs the agent to execute bash scripts at hardcoded paths (bash /root/clawd/skills/supermemory/scripts/*.sh) with user-provided content as arguments. This grants the skill shell execution privileges through the agent, and the scripts send data to external endpoints.

MEDIUM Skill normalizes storing sensitive data externally -35

The skill's framing and examples condition the agent to treat sending user data to an external API as routine behavior. This normalizes data exfiltration as a 'memory' feature, making the agent more likely to comply with sending sensitive information without questioning it.

LOW Connection to unidentified IP during installation -15

Network capture shows TCP connections to 216.150.1.1:443 during the clone/install phase. While this may be legitimate (e.g., a CDN or package registry), it is not an Ubuntu or standard infrastructure IP and warrants noting.