Is ibitnoah/unibase-membase safe?

https://github.com/openclaw/skills/tree/main/skills/ibitnoah/unibase-membase

78
CAUTION

This skill appears to be a legitimate memory backup system but transmits potentially sensitive data to external services and handles user credentials. While no malicious behavior was detected during installation, the external dependencies and data handling create moderate security risks.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (5)

HIGH External Data Transmission -25

The skill transmits backup data to an external service (https://testnet.hub.membase.io), creating potential privacy and security risks despite claimed client-side encryption.

MEDIUM Sensitive System File Access -15

During installation, the system detected access to sensitive files including .env, SSH keys, AWS credentials, and other configuration files.

MEDIUM Third-Party Service Dependency -30

The skill relies on an external Membase service for storing encrypted backups, creating dependency risks and potential attack vectors if the service is compromised.

MEDIUM Sensitive Credential Handling -20

The skill requests and handles sensitive user credentials including account keys, secret keys, and backup passwords, which could be misused if the skill is compromised.

LOW Executable Code Components -15

The skill contains executable TypeScript files that run Node.js commands, though these appear to implement legitimate backup functionality.