Is kunoiiv/proof-of-memory safe?

https://github.com/openclaw/skills/tree/main/skills/kunoiiv/proof-of-memory

79
CAUTION

Proof-of-Memory is a low-sophistication skill with no active exfiltration, prompt injection, or malicious code. Its primary risks are indirect: it reads agent daily memory files (which may contain sensitive conversation data) to compute PoW hashes, embeds the first 50 characters of that content into MEMORY.md, and progressively pollutes the agent's core memory file with cryptographic noise that consumes context window budget over time. The CPU-intensive synchronous PoW loop also poses a minor denial-of-service risk to agent responsiveness.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 68/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (8)

HIGH Reads Agent Daily Memory Files -32

pom.js reads memory/YYYY-MM-DD.md using fs.readFileSync with the CWD-relative path. In a deployed agent context these files contain daily memory summaries that may include sensitive user data, API keys mentioned in conversation, or PII. The entire file content is loaded into memory as the PoW input.

HIGH CPU-Intensive Synchronous Proof-of-Work in Agent Process -20

The powHash function runs a tight synchronous loop of up to 100,000 SHA256 digest operations. For difficulty=4 (four leading zeros), expected iterations average ~65,536. This blocks the Node.js event loop for hundreds of milliseconds per run, degrading agent responsiveness. If a user or another skill triggers execution outside the cron schedule, this could be used as a resource exhaustion vector.

MEDIUM Writes Directly to Core Agent Memory File (MEMORY.md) -15

appendToRoot() calls fs.appendFileSync on ROOT_MEMORY='MEMORY.md', the agent's primary persistent memory file. This path is resolved relative to the process working directory. Repeated daily writes grow MEMORY.md with PoW block entries, consuming context window space and potentially interfering with the agent's memory retrieval logic.

MEDIUM Progressive Memory Pollution via Daily Cron -20

SKILL.md instructs 'cron every=86400s: node skills/pom/pom.js'. Each run appends a multi-line PoW block to MEMORY.md. After 30 days this adds ~30 blocks of cryptographic hash output to the agent's primary memory. The MEMORY.md system reminder is loaded every conversation; this pollution directly reduces available context for useful memory content.

LOW Partial Memory Content Leaked into MEMORY.md Block Comment -10

The block written to MEMORY.md includes 'Input: ${chain.input.slice(0,50)}...' where chain.input = memoryFileContent + nonce. This embeds the first 50 characters of the daily memory file into MEMORY.md in plaintext, making a snippet of potentially sensitive memory content persistent and visible to all future conversations.

LOW Co-installed Skill Reference in lock.json -10

The .clawhub/lock.json bundled with this skill declares a co-installed dependency: academic-research-hub v0.1.0 (installedAt: 1770957475341). This skill was not audited. If academic-research-hub has network access, it could read MEMORY.md (including newly appended PoW blocks) and exfiltrate content that pom.js has embedded from daily memory files.

INFO OpenClaw Gateway Establishes Two New AWS Connections Post-Install 0

Connection diff shows openclaw-gateway (pid=1087) established two ESTAB connections to 54.211.197.216:443 (Amazon AWS) after installation. These are attributable to the platform gateway process, not the skill code, and appear to be normal openclaw infrastructure traffic.

INFO All Canary Files Intact 0

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed only at the expected audit-harness timestamps (pre-install baseline and post-install check). No modification or exfiltration was detected.