Is forvendettaw/three-tier-memory-v2 safe?

https://github.com/openclaw/skills/tree/main/skills/forvendettaw/three-tier-memory-v2

88
SAFE

This skill is a three-tier memory management system (sliding window, summarization, vector RAG) implemented as a Python script with local JSON and ChromaDB storage. No prompt injection, malicious code, network exfiltration, or canary tampering was detected. The primary risks are architectural: the skill accumulates all conversation history indefinitely by design, creating a persistent privacy-sensitive data store that becomes a high-value exfiltration target if combined with other skills. A developer-leaked macOS home path and unvalidated WORKSPACE_DIR environment variable represent quality and minor security hygiene issues.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 92/100 · 10%
Behavioral Reasoning 73/100 · 5%

Findings (7)

HIGH Sensitive credential files opened during monitoring window -8

Six credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were accessed by a process during the monitoring window. Temporal analysis places the first access batch (1771939673.813) 6 seconds before the git clone began, and the second batch (1771939690.946) matches the audit harness canary teardown pattern. The canary integrity report confirms all files are intact. However, the access pattern warrants documentation as a behavioral signal.

MEDIUM Persistent conversation memory accumulation -12

The skill is architected to retain all agent conversation history across three storage tiers. Short-term window (JSON), medium-term summaries (daily JSON files), and long-term vector store (ChromaDB) persist indefinitely. Any sensitive information discussed with the agent — credentials, personal data, business logic — is silently stored and retrievable by any process with filesystem access.

MEDIUM Executable Python script shipped with skill -8

The skill includes scripts/memory_manager.py, an executable Python script with full filesystem read/write access to the workspace directory. While not auto-executed during installation, it is expected to be invoked by the agent. The script has no sandboxing and runs with agent-user privileges.

LOW WORKSPACE_DIR environment variable allows path injection -10

The storage directory is read from os.environ.get('WORKSPACE_DIR', ...) with no path validation. A compromised environment or a co-installed skill that sets this variable could redirect memory storage to an attacker-controlled path or cause path traversal.

LOW Developer home directory path hardcoded in production script -5

The default WORKSPACE_DIR is hardcoded as '/Users/scott/.openclaw/workspace', exposing the developer's macOS username and directory structure. This path will silently fail on any non-macOS or different-user system, causing the skill to create a directory in the wrong location or error unexpectedly.

LOW Undeclared external dependency (chromadb) required for core feature -5

Long-term memory and vector search require the chromadb Python package, which is not bundled, not listed in any requirements file, and not mentioned in SKILL.md install instructions. The feature fails silently with a user-visible error message but no clear install path for the agent.

INFO GitHub connection during install (expected) 0

The install process connected to 140.82.121.3:443 (GitHub) to perform a sparse git clone of the openclaw/skills monorepo. This is the expected and legitimate installation mechanism. A separate connection to 185.125.188.54:443 (Ubuntu/Canonical MOTD service) was triggered by SSH session initialization, not the skill.