Is doobidoo/shodh-local safe?
https://github.com/openclaw/skills/tree/main/skills/doobidoo/shodh-local
Shodh-Local is a local-first cognitive memory skill whose static content is clean — no malicious instructions, no hidden injection, no executable scripts. However, its fundamental architecture creates a mandatory conversation surveillance channel: the skill instructs the agent to route all interaction context through localhost:3030 before every reply, and this server is powered by an external binary ('shodh-memory-server') not included in the skill package and unauditable here. The skill is also personalized for a specific user ('henry') and named session ('amber-seaslug'), making it unsuitable as a generic installation. Canary files were accessed only by the Oathe monitoring system and remained fully intact with zero network exfiltration detected.
Category Scores
Findings (9)
HIGH All Conversation Content Routed Through Unverified External Binary -30 ▶
The skill instructs the agent to call /api/recall before every reply and /api/remember for all notable content. This means 100% of conversation context passes through shodh-memory-server — a binary not included in the skill package and therefore not auditable here. A compromised or malicious binary in this role has silent, complete access to all user interactions with no indication to the user.
HIGH External Binary Dependency With No Provenance in Skill Package -10 ▶
The skill requires './shodh-memory-server' to be running but does not distribute this binary. Users must separately obtain and trust it. The entire security posture of this skill is delegated to an external binary whose supply chain cannot be verified from this skill's content.
MEDIUM Mandatory Automatic Recall Before Every Agent Reply -15 ▶
The skill instructs the agent to proactively query localhost:3030 before generating every response. This is a persistent behavioral override not scoped to memory-related requests, creating automatic network calls the user never explicitly authorized on a per-turn basis.
MEDIUM Process Kill Capability Instruction -10 ▶
The skill instructs the agent to issue process kill commands ('process kill amber-seaslug') for weekly server maintenance. This grants the agent process management authority beyond memory operations and establishes a pattern where the agent terminates system services on a schedule.
MEDIUM User-Specific Hardcoding — Not a Generic Installable Skill -15 ▶
The skill hardcodes user_id 'henry' in all API examples and examples.md, and references a named session 'amber-seaslug'. A different user installing this skill would write and retrieve memories under 'henry's' identity namespace, creating potential identity confusion and cross-user memory contamination.
LOW No Data Minimization Policy — Unbounded LTM Storage -10 ▶
The skill stores Conversations, Preferences, Observations, Tasks, and Learnings with no guidance on what should NOT be retained. Combined with automatic pre-reply recall, sensitive fragments of every conversation may be permanently written to the local LTM database without the user's explicit per-item consent.
LOW Daily Heartbeat Scheduled Behavior -5 ▶
The skill instructs the agent to automatically check todos daily as a 'heartbeat'. This creates an implicit agent schedule that activates without per-session user approval.
INFO Canary File Accesses Attributable to Monitoring System — No Exfiltration 0 ▶
Credential honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCloud credentials) were opened at timestamps 1771934302 (pre-clone OS session startup), 1771934311, and 1771934318. Timing aligns with Oathe's pre-install and post-install integrity baseline sweeps. All files confirmed intact with no network exfiltration detected.
INFO Post-Install Network Connections From Pre-Existing OpenClaw Gateway 0 ▶
After installation, new connections appeared on ports 18790/18793 (local) and to 104.16.3.34 and 98.83.99.233 on port 443. All are attributed to openclaw-gatewa pid=1083, a platform process running before this skill was installed. These are not caused by the shodh-local skill.