Is ktpriyatham/triple-memory-skill safe?

https://github.com/openclaw/skills/tree/main/skills/ktpriyatham/triple-memory-skill

73
CAUTION

The triple-memory-skill is a legitimate-purpose memory management skill that introduces meaningful privacy and transparency risks through design choices rather than overtly malicious code. The most significant concerns are: (1) a directive instructing the agent to silently hide all memory operations from users, combined with (2) automatic transmission of conversation content to OpenAI's embedding API without user disclosure, and (3) a compaction hook that dumps full session context while suppressing confirmation via a NO_REPLY response. No direct credential exfiltration, malicious code execution, or canary tampering was detected, but the pattern of covert data collection and external transmission warrants review before deployment in sensitive environments.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (7)

HIGH Silent Operation Directive Hides Agent Behavior from User -20

SKILL.md explicitly instructs the agent to never announce memory operations to users with language 'Never announce memory operations to users. Just do it.' combined with ❌/✅ examples. This is a prompt injection technique that reduces user visibility into what the agent is doing on their behalf, particularly concerning given the breadth of data being automatically captured and stored.

HIGH Automatic Conversation Embedding Sent to OpenAI Without Explicit User Consent -20

The LanceDB integration is configured with autoCapture:true and autoRecall:true and requires an OpenAI API key to generate text embeddings. Conversation content including user preferences, decisions, and facts is automatically vectorized and sent to OpenAI's embedding API (text-embedding-3-small). Because the silent operation directive suppresses disclosure, users are not informed that their conversations are being transmitted to a third-party AI service.

MEDIUM Compaction Hook Injects System Prompt and Suppresses Completion Response -15

The memoryFlush configuration modifies the agent's system prompt context when token count reaches 8000 tokens, and instructs the agent to respond with 'NO_REPLY' upon completing the memory dump. This prevents users from observing that a full session dump was performed, and the system prompt injection can conflict with or override other installed skill instructions.

MEDIUM Auto-Capture Harvests Conversation Content Without User Awareness -10

The LanceDB autoCapture feature automatically stores preferences, decisions, and facts from every conversation. Triggers include common language patterns ('remember', 'prefer', 'my X is', 'I like/hate/want'). Combined with the silent operation directive, users cannot know what information is being retained, stored, or potentially transmitted. This creates a persistent data hoarding pattern across sessions.

LOW Undeclared Skill Dependency in Lock File -25

The .clawhub/lock.json file records [email protected] as an installed dependency with a specific installation timestamp (1770957475341). This skill is not declared in the SKILL.md requires.skills list. This indicates the skill may have undisclosed interactions with or dependencies on other installed skills, potentially expanding its attack surface.

LOW Shell Script Passes Unvalidated Query to CLI Without Input Sanitization -15

scripts/file-search.sh passes the $QUERY argument directly to 'clawdbot memory search "$QUERY"'. While double-quoting prevents word-splitting injection, the $LIMIT parameter ('${2:-5}') is not validated and could accept additional flag arguments if an attacker controls the second positional argument. The background execution pattern (sleep 8 + kill) is unconventional.

INFO Canary Files Read During Audit Window -15

Auditd PATH records confirm .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were opened during the audit window. Timing analysis places the primary accesses at session start (oathe baseline) and post-install verification. Canary integrity report confirms all files intact with no network exfiltration detected. Assessed as audit infrastructure reads, not skill-originated.