Is koatara20/guava-memory safe?

https://github.com/openclaw/skills/tree/main/skills/koatara20/guava-memory

84
SAFE

GuavaMemory is a legitimate episodic memory skill with no prompt injection, no malicious code, and no exfiltration mechanisms in its source files. The primary risks are platform-level and operational: the skill's design causes task descriptions to be sent to Voyage AI on every invocation via memory_search, and it requests persistent modification of AGENTS.md that changes agent behavior across all sessions. Credential file accesses observed during monitoring are attributable to oathe infrastructure (pre-clone baseline and post-install verification) with the integrity check confirming no tampering.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 80/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (7)

MEDIUM Persistent AGENTS.md Behavior Modification -15

The skill instructs users to paste a block of episodic memory rules into their AGENTS.md file. Once installed, these rules cause the agent to run memory_search on every task start and write episode files on every task completion — across all sessions and all tasks, not just those related to GuavaMemory. This is a persistent, session-spanning behavioral modification that outlives any individual skill session.

LOW Task Content Sent to Voyage AI via memory_search -12

The skill's core workflow (applied on every task) calls OpenClaw's memory_search tool, which submits task descriptions and query strings to Voyage AI's embedding service for semantic indexing and retrieval. While this is a platform-level feature rather than a skill-introduced endpoint, the skill's design ensures sensitive task content — including intents, file paths, tool usage — is systematically sent to a third-party AI service as part of normal operation.

LOW Plaintext Local Memory Accumulates Sensitive Task History -10

Episodes written to memory/episodes/ are plaintext Markdown files containing task intent, context (domain, tools, preconditions), success/failure patterns, and key insights. Over time this directory becomes a detailed record of agent activities that could expose sensitive operational information if the workspace is compromised or shared.

LOW Credential Files Read During Installation Window -20

Six honeypot credential files were accessed (read-only) during the monitoring window: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud application_default_credentials.json. Timing analysis shows the first batch at audit timestamp 1771923301.283 occurred before the git clone (1771923306), and the second batch at 1771923318.651 shows the same batch pattern consistent with oathe canary verification. The skill source code contains no logic targeting these files. Integrity check confirms no modification.

LOW Memory Poisoning and Pattern Entrenchment Risk -15

The Q-value promotion mechanism automatically elevates episodic patterns with Q≥0.85 and 3+ successes into reusable skill procedures. If an adversary can influence agent task outcomes (e.g., through crafted inputs that produce high-reward episodes), they could gradually entrench malicious patterns into the promoted skills directory. This attack requires sustained access but is a latent risk in long-lived memory systems.

INFO Shell Script Uses Unquoted HOME Expansion -5

ep-search.sh constructs a path using ${HOME}/.openclaw/workspace/memory/episodes. If HOME is manipulated (unusual in normal deployments), path traversal is theoretically possible. In practice the script is read-only (cat + jq) and this represents a negligible risk.

INFO Clean Sparse Checkout from GitHub 0

Clone used expected sparse-checkout pattern from openclaw/skills.git (140.82.121.3:443). No unexpected filesystem writes, no unexpected process spawning, no background daemons installed. Post-install connection state identical to pre-install except the monitoring SSH connection was refreshed.