Is memory-system-v2 safe?
https://clawhub.ai/kellyclaudeai/memory-system-v2
Memory System v2.0 is a straightforward bash-based memory tool with no explicit malicious intent in its source code. However, the installation monitoring detected concerning access to sensitive credential files (.env, .aws/credentials, auth-profiles.json) which, while likely attributable to the ClawdBot runtime, cannot be definitively separated from skill-triggered behavior. The bash script also contains a JSON injection vulnerability in its heredoc-based JSON construction. The skill creates an unencrypted persistent data store that increases attack surface in multi-skill environments.
Category Scores
Findings (9)
HIGH Credential files accessed during installation -40 ▶
The filesystem monitoring captured OPEN and ACCESS events on /home/oc-exec/.env and /home/oc-exec/.aws/credentials during the skill installation process. While no network exfiltration was observed, the access to AWS credentials and environment variables is a significant concern. This may be attributable to the ClawdBot runtime rather than the skill itself, but the monitoring cannot distinguish the source definitively.
HIGH Auth profile files accessed during installation -15 ▶
The installation process read /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json which likely contains authentication tokens or OAuth credentials for connected services.
MEDIUM Bash script with JSON injection vulnerability -25 ▶
The capture_memory function in memory-cli.sh constructs a JSON object using a bash heredoc with bare variable interpolation: '"content": "$content"'. If the content argument contains double quotes, backslashes, or newlines, the JSON will be malformed or an attacker could inject arbitrary JSON fields. While jq will likely reject malformed JSON downstream, a carefully crafted payload could pass validation.
MEDIUM Executable shell script with full user permissions -15 ▶
memory-cli.sh runs with the invoking user's full shell permissions. It creates directories (mkdir -p), writes files, and manipulates JSON data under $HOME/clawd/memory/. While the operations are consistent with its stated purpose, the script has no sandboxing or permission restrictions.
MEDIUM Unexpected credential file reads during clone -45 ▶
During the installation window, the process read .env, .aws/credentials, and auth-profiles.json. Even if these reads originate from the ClawdBot runtime initialization, they occur in the context of installing this specific skill and cannot be ruled out as skill-triggered.
LOW Behavioral directive in integration section -18 ▶
The SKILL.md includes an Integration with Clawdbot section that suggests adding a directive to AGENTS.md: 'Before answering anything about prior work, decisions, dates, people, preferences, or todos: run memory_search'. This instructs the agent to always execute a memory search before responding to a broad class of queries, which is a mild behavioral override.
LOW Unencrypted plaintext memory storage -20 ▶
All captured memories are stored as plaintext JSON and markdown files. Users may inadvertently store sensitive information (credentials, private decisions, PII) as memories, creating an unencrypted data store that persists indefinitely and could be accessed by other skills or processes.
LOW Cross-skill data staging risk -15 ▶
The memory system creates a well-known, structured data store at a predictable path ($HOME/clawd/memory/). A second malicious skill could read the memory index to harvest any sensitive information the user has captured, and potentially exfiltrate it. The skill is benign alone but increases attack surface in multi-skill environments.
INFO jq dependency required 0 ▶
The skill requires jq to be installed via Homebrew. The metadata declares this dependency explicitly. jq is a well-known, trusted JSON processor. The install instruction is 'brew install jq' which is standard and safe.