Is jakebot-ops/persistent-memory safe?

https://github.com/openclaw/skills/tree/main/skills/jakebot-ops/persistent-memory

63
CAUTION

This persistent-memory skill presents meaningful behavioral and configuration risks despite containing no explicit malicious code or canary file exfiltration. The primary concerns are: (1) SKILL.md injects 'mandatory' behavioral overrides into the agent's context that alter how the agent responds and acts without explicit user awareness; (2) configure_openclaw.py modifies the system-level OpenClaw configuration to expand memory search scope to include agent directive files (SOUL.md, AGENTS.md), then automatically restarts the gateway, affecting all agents on the installation; and (3) the persistent vector memory system creates a long-lived cross-session injection surface where poisoned workspace content persists indefinitely. No credential exfiltration or canary file modification was detected.

Category Scores

Prompt Injection 48/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 58/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (8)

HIGH Mandatory behavioral directives injected via SKILL.md -30

The SKILL.md file contains three sections explicitly labeled 'mandatory' (Pre-Response, Pre-Action, Post-Edit) that instruct the agent to always query memory before responding, always query reference files before acting on external identifiers, and always re-index after edits. These are not suggestions — they are formatted as unconditional behavioral overrides injected directly into the agent's system prompt context. A user installing this skill may not realize their agent's decision-making process has been fundamentally altered.

HIGH OpenClaw memorySearch reconfigured to index agent directive files -22

configure_openclaw.py adds SOUL.md, AGENTS.md, HEARTBEAT.md, PROJECTS.md, TOOLS.md, IDENTITY.md, USER.md, and ARCHITECTURE.md to the OpenClaw memorySearch extraPaths. These are the files that define agent behavior and identity. By indexing them into the memory search system (which this skill controls), any future directive in those files becomes retrievable and potentially manipulable through memory queries. The skill frames this as fixing a 'bug' to increase acceptance likelihood.

HIGH Automatic OpenClaw gateway restart without user confirmation -20

configure_openclaw.py calls subprocess.run(['openclaw', 'gateway', 'restart']) after modifying the config file, restarting the production agent gateway. This affects all agents sharing the OpenClaw installation. The default --backup=True flag creates a backup file, but restart is not guarded by a user confirmation prompt and happens automatically as part of the unified_setup.sh flow.

MEDIUM Runtime ML model download from HuggingFace not disclosed to user -15

sentence-transformers downloads all-MiniLM-L6-v2 (~80MB) from HuggingFace at first indexing run. This network request is not documented in the SKILL.md setup instructions and occurs outside the install phase. It represents an undisclosed outbound connection to a third-party model host each time the embedding model is initialized.

MEDIUM Workspace sensitive data aggregated into queryable local vector store -15

The indexer collects and embeds all content from MEMORY.md, reference/.md (people.md, repos.md, infrastructure.md, business.md, properties.md), and memory/.md into a ChromaDB vector database. This creates a single semantically-queryable corpus of potentially sensitive institutional knowledge. While local, this aggregation increases the blast radius of any subsequent exfiltration by other skills or prompt injection attacks.

MEDIUM Persistent memory creates long-lived injection surface across sessions -25

The memory system is designed to persist across sessions. Any content written to MEMORY.md or reference/ files — including content injected via prompt injection from untrusted external sources — will be indexed, embedded, and retrieved in future sessions. This creates a persistent cross-session prompt injection vector: compromise once, persist forever.

LOW PyPI package installation with supply chain risk -7

unified_setup.sh and setup.sh install sentence-transformers==3.3.1, chromadb==0.6.3, and networkx==3.4.2 from PyPI. Versions are pinned but not hash-verified. These are legitimate packages with pinned versions, but no integrity verification (--require-hashes) is performed.

INFO Canary credential files read by audit harness at session boundaries 0

Auditd path events show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials were opened at timestamps 1771930724.738 and 1771930746.456. Timing analysis shows these accesses correlate with SSH session establishment and audit harness canary staging, not with skill script execution. Canary integrity report confirms all files unmodified. No skill code contains logic to read these paths.