Is memory-hygiene safe?
https://clawhub.ai/dylanbaker24/memory-hygiene
memory-hygiene is a markdown-only skill with no executable code or exfiltration mechanisms, but it instructs the agent to perform destructive operations (rm -rf on home directory contents), modify gateway configuration, and install autonomous cron jobs. The skill also normalizes storing credential locations in vector memory and creates a memory poisoning vector through its wipe-and-reseed-from-MEMORY.md pipeline. While likely authored with benign intent, the patterns it establishes carry meaningful risk in a multi-skill environment.
Category Scores
Findings (9)
HIGH Destructive rm -rf command targeting user home directory -20 ▶
The skill instructs the agent to execute 'rm -rf ~/.clawdbot/memory/lancedb/' which is a recursive forced deletion of a directory under the user's home. While scoped to the memory directory, this pattern normalizes destructive shell commands in skill prompts. A slight path modification (or tilde expansion issue) could cause broader damage. The agent is instructed to run this without explicit user confirmation flow.
MEDIUM Autonomous cron job installation for recurring destructive operations -15 ▶
The skill instructs the agent to add a cron job that runs monthly at 4 AM to wipe the entire LanceDB memory directory and reseed it. This creates a persistent autonomous process that operates without per-execution user consent. If the MEMORY.md file is later compromised or modified, the monthly reseed would propagate attacker-controlled content into the agent's memory.
MEDIUM Gateway configuration modification via config.patch -10 ▶
The skill instructs the agent to modify the gateway configuration to disable autoCapture. While the stated purpose is benign (reducing junk memory), this demonstrates the skill's ability to alter system-level agent configuration. A malicious variant could disable security-relevant settings.
MEDIUM Encourages storing credential locations in agent memory -15 ▶
The 'What to Store' section explicitly lists 'credentials locations' as a recommended memory category. This normalizes placing sensitive security-relevant information into the vector database where it could be surfaced by memory_recall from any active skill or future conversation context.
LOW Wildcard memory recall exposes all stored data -10 ▶
The audit command uses memory_recall query='*' limit=50 which retrieves all stored memories without filtering. In a multi-skill environment, this could expose sensitive data stored by other skills or user interactions to the current conversation context.
LOW Memory poisoning vector via MEMORY.md reseed pipeline -35 ▶
The monthly cron job reseeds agent memory from MEMORY.md. If an attacker gains write access to MEMORY.md (via another skill, compromised repo, or social engineering), they gain persistent influence over the agent's recalled context. The wipe-and-reseed cycle means the attacker's content replaces all prior legitimate memories.
LOW Normalizes destructive operations pattern for agent skills -35 ▶
This skill establishes a pattern where skills can instruct agents to run rm -rf, modify configs, and install cron jobs. Even if this specific skill is benign, it lowers the agent's resistance to similar instructions from malicious skills.
INFO Gateway process accesses sensitive files during install -10 ▶
The filesystem monitoring shows the openclaw gateway reading .env, .aws/credentials, auth-profiles.json, and openclaw.json during the skill installation process. This is the gateway's normal startup behavior (not caused by the skill), but it confirms that sensitive files exist and are accessible in the environment.
INFO No executable code or install-time hooks -15 ▶
The skill contains only markdown content with no executable scripts, npm install hooks, git hooks, submodules, or symlinks. All potentially dangerous operations are instructions to the agent, not code that runs automatically.