Is justinhartbiz/dory-memory safe?

https://github.com/openclaw/skills/tree/main/skills/justinhartbiz/dory-memory

79
CAUTION

The dory-memory skill implements a legitimate file-based memory system with no executable code, no external transmission endpoints, and intact canary files — indicating no active credential theft or direct exfiltration. However, two concerns prevent a clean approval: the skill's workspace architecture is explicitly designed to be injected into the agent's system context every session (creating a durable attack surface if workspace files are ever modified by any vector), and the skill package bundles a .clawhub/lock.json referencing an entirely separate skill (academic-research-hub) that may silently install as a dependency. The skill is functional and the author's intent appears benign, but the packaging artifact and persistent injection surface warrant review before deployment.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 67/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (7)

MEDIUM Workspace designed as persistent injection surface via OpenClaw file injection -20

The skill explicitly documents that AGENTS.md, SOUL.md, USER.md, and other workspace files are injected into the agent's context automatically every session by OpenClaw. This means any attacker who can write to ~/.openclaw/workspace/ — through another compromised skill, a path traversal bug, or social engineering — gains persistent prompt injection capability across all future agent sessions, not just the current one.

MEDIUM .clawhub/lock.json references external skill as installed dependency -28

The dory-memory skill package includes a .clawhub/lock.json that references a distinct skill 'academic-research-hub' at version 0.1.0 with an installedAt timestamp. This file appears to be the developer's workspace state accidentally bundled into the package. Depending on how OpenClaw's package manager processes lock.json files found within installed skill directories, this could silently trigger installation of academic-research-hub without user awareness or consent. This is either accidental packaging negligence or an intentional supply chain vector.

MEDIUM HOLD.md 'blocks override all' creates highest-priority suppression mechanism -8

The skill establishes a conflict resolution hierarchy where HOLD.md takes absolute priority over all other files including user instructions in ACTIVE.md and agent rules in AGENTS.md. If HOLD.md is modified to contain false blocked items, it can prevent the agent from acting on legitimate user requests indefinitely with no clear recovery path visible to the user.

LOW User instructions and conversation history persistently logged to workspace files -18

The Dory-Proof pattern mandates capturing the user's exact words to state/ACTIVE.md before every task. The memory system accumulates conversation summaries in daily logs and recent-work.md. This creates a persistent, queryable record of user tasks and intentions that survives context resets and is accessible to any process or skill with filesystem read access.

LOW Quick Setup documentation contains shell command targeting user home directory -12

The skill's Quick Setup section includes a shell command that, if executed by a compliant agent following the setup instructions, copies template files into ~/.openclaw/workspace/ with recursive overwrite semantics. This would overwrite any existing workspace files including AGENTS.md, SOUL.md, and other injected system files with the skill's templates.

LOW Mandatory boot sequence conditions agent to consult workspace before all actions -32

The skill mandates reading 5 workspace files at the start of every session before taking any action. This creates a durable behavioral conditioning where the workspace becomes a required input to all agent decision-making. Once established, this pattern means workspace content functions as a persistent instruction layer that user messages must compete against.

INFO Post-install openclaw-gatewa process shows new external TCP connections -5

The connection diff shows openclaw-gatewa (pid=1087) establishing new TCP connections to 104.16.3.34:443 (Cloudflare) and 3.213.170.18:443 (AWS) after installation, plus new listeners on 127.0.0.1:18790 and 18793. These are attributed to the OpenClaw execution environment gateway process (confirmed by /home/oc-exec/.openclaw-executor/gateway.pid in the filesystem diff) and not to any code within the skill package itself.