Is dcprevere/org-memory safe?

The SKILL.md explicitly instructs the agent 'Don't ask for confirmation on shortcuts — just do it' for the 'Remember:' and 'Note:' trigger patterns. While each write produces a visible 'org-memory: ' log line, this design removes the confirmation step that would otherwise allow the user to catch misfire or injected writes. In a hostile environment where the agent processes external content (web pages, emails, PDFs, other skill outputs), an attacker can craft content containing 'Remember: [arbitrary text]' to silently persist data into the agent's long-term knowledge base, poisoning future reasoning across all sessions that load org-memory.

The skill requires the 'org' CLI binary installed separately from a third-party GitHub repository (github.com/dcprevere/org-cli). This binary is not part of the skill package and was not evaluated in this audit. A compromised build, a supply chain attack on the releases page, or a malicious fork could cause the binary to read sensitive files, exfiltrate data over the network, or execute arbitrary code while appearing to perform normal org-file operations. Users should independently vet the org-cli binary before installation.

When org-memory is installed alongside skills that fetch web content, process emails, or read documents, the no-confirmation shortcut pattern creates a complete prompt injection attack chain. An attacker who controls a webpage, document, or email the agent reads can embed 'Remember: [instruction]' payloads that will be automatically written into the agent's org-roam knowledge graph and recalled in all future sessions. This is a cross-skill attack surface that does not require compromising org-memory itself.

The batch operations feature executes multiple mutations against in-memory state and writes only if all succeed. While this is a sound transactional design, it means a single injected batch command could atomically mark tasks done, add tags, reschedule items, and append notes across the human's org files in one operation with no per-step confirmation. The blast radius of a single malicious batch invocation is limited only by the number of commands in the JSON payload.

The 'org search' and 'org agenda' commands scan all files within the configured ORG_MEMORY_HUMAN_DIR and ORG_MEMORY_AGENT_DIR without path restriction. If users store sensitive information in org format (passwords in drawers, API keys in notes, confidential meeting notes) within these directories, that content will be surfaced to the agent and included in its context window, where it could be leaked via other skills or included in model outputs.

The install process connected exclusively to GitHub (140.82.121.4:443) to perform the sparse git clone of the openclaw/skills monorepo. Ubuntu motd-news traffic to 185.125.188.54 is a pre-existing background system service unrelated to the skill. No connections to unexpected or attacker-controlled endpoints were observed during install.

Filesystem monitoring shows read-only opens of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json. Cross-referencing auditd timestamps confirms these accesses occurred at 1771927869 (pre-install, audit framework canary setup) and 1771927893 (post-install, audit framework integrity verification). All file opens carried CLOSE_NOWRITE flags. The skill itself contains no instructions to access these paths.