Is jrbobbyhansen-pixel/memory-setup safe?
https://github.com/openclaw/skills/tree/main/skills/jrbobbyhansen-pixel/memory-setup
The memory-setup skill is documentation-only with no executable code, no prompt injection, no hidden instructions, and a clean install that produces exactly two expected files. The primary concerns are low-severity and fully disclosed: the skill's AGENTS.md snippet modifies agent retrieval behavior (intentional and opt-in), and the recommended session indexing configuration transmits conversation history to third-party embedding providers. No malicious behavior was observed during installation.
Category Scores
Findings (6)
LOW AGENTS.md template modifies agent retrieval behavior -7 ▶
The skill provides a ready-to-paste AGENTS.md snippet instructing the agent to automatically run memory_search before answering any question about prior work, decisions, dates, people, preferences, or todos. While this is the fully disclosed and intended purpose of the skill, it does constitute a standing behavioral instruction injected into agent context. The instruction is transparent, requires explicit user action to enable, and contains no adversarial framing.
LOW Conversation transcripts transmitted to third-party embedding providers -4 ▶
The recommended configuration indexes past conversation sessions via external embedding APIs (Voyage AI or OpenAI). This means conversation history is transmitted to third-party services for vectorization. Standard RAG architecture, but users should understand that enabling sessions as a source causes ongoing exfiltration of chat content to provider infrastructure.
LOW Persistent session memory expands future attack surface -12 ▶
Enabling hot-mode session indexing creates a continuously growing, queryable store of all conversation history. Should a user subsequently install a compromised skill, that skill could invoke memory_search or memory_get to harvest sensitive content (API keys, internal hostnames, PII) discussed in prior sessions. The memory-setup skill itself introduces no exploit, but the persistent memory store it creates is a high-value secondary target.
INFO No executable code of any kind -1 ▶
The skill repository contains only _meta.json and SKILL.md. No scripts, npm lifecycle hooks, git hooks, submodules, symlinks, or compiled artifacts were present. The only shell command referenced in the skill is clawdbot gateway restart in the troubleshooting section — a benign CLI invocation with no payload.
INFO Clean install — no unexpected filesystem or network activity -3 ▶
The install process cloned only from github.com/openclaw/skills (140.82.121.4:443) via the audit framework's own install script and produced exactly the two expected skill files. The pre-install network connections to Canonical/Ubuntu IPs (91.189.91.48, 185.125.188.58) are consistent with apt/motd infrastructure already present in the VM.
INFO All honeypot files intact — no exfiltration confirmed 0 ▶
All six canary files remained unmodified. The inotify and auditd accesses to these files at timestamps 1771927405 and 1771927422 bracket the install window and align with the audit framework's own baseline check routines, not with any skill-initiated filesystem traversal.