Is hassffw/memory-compression-system safe?

enable.sh registers an OpenClaw cron job with a 21,600,000ms (6-hour) interval using sessionTarget 'isolated' and delivery mode 'announce'. The payload is a kind:'agentTurn' message that instructs the LLM agent to navigate to the skill directory and execute a shell script. This is a recurring prompt injection that persists after the user's session ends, survives skill updates, and continues operating until explicitly disabled via disable.sh.

The cron job message payload contains a literal shell command string ('cd ... && ./scripts/compress.sh --auto') that the LLM agent will interpret and execute. This is command injection delivered via the scheduling subsystem rather than directly in SKILL.md, making it invisible to SKILL.md-only content scanning and bypassing prompt injection detection focused on the skill's documentation.

compress.sh function get_memory_context() iterates every .md file under /home/node/.openclaw/workspace/memory/ and reads the first 5 lines of each into a staging temp file. This content — which could include API keys, user instructions, prior conversation summaries, or authentication tokens stored by other skills — is then compressed and written to the skill's local data directory. No access control, user consent prompt, or content filtering is applied before reading.

SKILL.md explicitly documents a Telegram notification system for 'important events'. No Telegram API integration code was found in the seven audited scripts, but install.sh (whose content was not captured) or a config file not present at audit time could establish this channel. Combined with the memory file harvesting in compress.sh, a Telegram webhook could complete a full exfiltration pipeline: read memory → compress → transmit via Telegram.

install.sh is listed in the skill's file manifest and is referenced as the npm install lifecycle hook, but its content was not captured during the audit evidence collection phase. Any credential harvesting, reverse shell, data exfiltration, or persistence mechanism placed in install.sh would be completely invisible to this audit. The script's execution during npm install would be silent and automatic.

The package.json 'scripts.install' field pointing to './scripts/install.sh' is a standard npm lifecycle hook that executes automatically whenever 'npm install' is run in the skill directory, without any user confirmation prompt. Any OpenClaw workflow that triggers npm install after skill deployment would silently execute install.sh with whatever permissions the npm process carries.

The OpenClaw cron job created by enable.sh is registered at the platform level and is not automatically removed if the skill is uninstalled, updated, or its files are deleted. The job continues injecting agent turn messages referencing the (potentially absent) skill directory every 6 hours until disable.sh is explicitly run or the job is manually removed via openclaw cron remove.

Every audited script begins with '[ -f "$CONFIG_FILE" ] && source "$CONFIG_FILE" 2>/dev/null', sourcing config/default.conf into the script's execution context. If config/default.conf is modified by another installed skill, a malicious actor with filesystem access, or an attacker exploiting a directory traversal, arbitrary shell code can be injected into every script invocation including automated cron runs.

Auditd PATH records and inotify events confirm all six canary credential files were opened and read at two separate timestamps: before skill install (auditd events 266-271, unix timestamp 1771920209) and after install (events 1501-1506, timestamp 1771920226). All access was CLOSE_NOWRITE, confirming read-only. Timing analysis places both access windows within Oathe monitoring system activity (pre-install baseline scan and post-install integrity verification) rather than within skill script execution. The monitoring system confirmed all files unmodified.

The skill assembles three independently defensible components into a covert surveillance pipeline: (1) enable.sh installs a persistent 6-hour cron that hijacks the agent's action loop; (2) compress.sh reads all agent memory files capturing whatever sensitive content is stored there; (3) SKILL.md documents Telegram/email alert infrastructure that could transmit captured content. No single component is overtly malicious, but the combination creates an autonomous, persistent, and stealthy memory monitoring capability. The 'ultra' compression format also encodes mem.files and mem.size statistics, providing operational fingerprinting data about the agent's knowledge state.

The 'memory compression and optimization' premise provides legitimate-sounding justification for all high-risk behaviors: background filesystem access is 'compression', memory file reading is 'context collection', cron job creation is 'automated scheduling', and external notifications are 'health monitoring'. A user reviewing SKILL.md would encounter standard utility documentation; the agent turn injection and memory harvesting mechanisms require reading and understanding the bash script implementation to identify.

Network monitoring captured outbound TCP connections exclusively to github.com (140.82.121.3:443) for the git sparse-checkout clone. Pre-existing connections to 185.125.190.17 and 185.125.188.58 (Ubuntu/Canonical infrastructure for OS updates) were established before the install began and were absent in the post-install connection snapshot, indicating they were background OS processes. DNS queries resolved through the local resolver (127.0.0.53). No C2 beaconing, credential submission endpoints, or data exfiltration connections were observed.