Is memory-manager safe?

https://clawhub.ai/marmikcfc/memory-manager

78
CAUTION

Memory-manager is a legitimate local memory organization skill with no active malicious behavior. However, it ships 7 shell scripts that operate broadly across the agent's memory directory, and its snapshot feature consolidates sensitive context into single files that could be targeted by future updates or companion skills. The filesystem monitoring detected reads of .env and AWS credentials during installation, likely from the openclaw runtime rather than the skill itself. The heartbeat integration pattern normalizes periodic unattended script execution.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (8)

HIGH Sensitive file reads detected during install phase -15

Filesystem monitoring captured reads of .env, .aws/credentials, and auth-profiles.json during the skill's installation/runtime phase. While these reads are likely from the openclaw runtime environment rather than the skill's own code, the skill operates in a context where these sensitive files are accessible.

MEDIUM Seven executable shell scripts with broad filesystem access -25

The skill ships 7 shell scripts that perform find, grep, mv, cp, cat, and du operations across the memory directory tree. While individually benign, these scripts normalize shell execution as a routine agent behavior and operate with the full permissions of the agent process.

MEDIUM Memory consolidation creates high-value exfiltration target -20

snapshot.sh aggregates the most important recent memories (episodic, semantic, procedural) into a single markdown file in the snapshots directory. This consolidation pattern creates a convenient single-file target that a future malicious update or companion skill could exfiltrate.

MEDIUM Heartbeat integration encourages autonomous periodic execution -15

The SKILL.md instructs agents to add memory management commands to HEARTBEAT.md for automatic execution every 2 hours. This creates a persistent execution loop where shell scripts run periodically without per-invocation user consent, expanding the attack surface if the skill is later updated with malicious code.

LOW organize.sh moves files without user confirmation -5

The organize.sh script automatically moves date-formatted files from the flat memory directory to memory/episodic/ and copies non-date files to memory/legacy/ without prompting for confirmation. This could disrupt other tools or workflows that expect files in their original locations.

LOW Unquoted variable in find/for loops could break on special filenames -5

Several scripts iterate over file paths using unquoted variable expansion in for loops (e.g., 'for file in $FLAT_FILES'), which could cause incorrect behavior with filenames containing spaces or special characters. This is a code quality issue, not a direct security vulnerability.

INFO Jiti transpiler cache files created during install -5

Multiple .cjs files were created in /tmp/jiti/ during installation. These are from the openclaw runtime's jiti TypeScript transpiler, not from the skill itself. They include references to 'memory-core', 'plugin-sdk', 'plugins-runtime' etc.

INFO No network exfiltration capability in current version 0

None of the shell scripts contain curl, wget, nc, or any other network commands. All data operations are local file reads and writes. No outbound connections were detected during monitoring.