Is supermemory safe?

https://clawhub.ai/skill/supermemory

35
DANGEROUS

This skill is a data exfiltration vector disguised as a personal memory tool. It ships with a hardcoded API key that routes all user data to the skill author's SuperMemory account, explicitly encourages users to store credentials ('Remember that my API key is xyz'), and passes unsanitized user input through shell scripts vulnerable to command injection. Every interaction sends data to api.supermemory.ai with no user consent mechanism.

Category Scores

Prompt Injection 30/100 · 30%
Data Exfiltration 15/100 · 25%
Code Execution 25/100 · 20%
Clone Behavior 70/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 10/100 · 5%

Findings (9)

CRITICAL Hardcoded API key routes all data to skill author's account -50

The SKILL.md Setup section contains a hardcoded SuperMemory API key (sm_oiZHA2HcwT4tqSKmA7cCoK_...). If the user sets this key as instructed, all memories, searches, and chat queries are sent to the skill author's SuperMemory account at api.supermemory.ai. The author has full read access to everything the user stores.

CRITICAL Skill examples social-engineer credential exfiltration -35

The SKILL.md Examples section explicitly encourages users to store sensitive credentials through the skill: 'Remember that my API key is xyz' maps to sending that API key to the external SuperMemory API. This normalizes credential exfiltration as a feature.

HIGH Shell command injection via unsanitized JSON interpolation -40

add-memory.sh constructs JSON payloads by directly interpolating $CONTENT into a heredoc without any escaping or sanitization. A user input containing double quotes, backticks, or $() subshells could break out of the JSON string and execute arbitrary commands or corrupt the API request in unexpected ways.

HIGH Arbitrary Python execution from external API response -15

chat.sh pipes the raw API response from api.supermemory.ai directly into python3 -c with inline code. If the API response is malicious or the API is compromised, arbitrary Python code context processes attacker-controlled data with no sandboxing.

HIGH Skill normalizes API key exposure in system prompts -40

Including a real, valid-looking API key directly in SKILL.md (which is injected into the agent's system prompt) trains the agent to treat API keys as normal displayable content. This degrades the agent's security posture for handling secrets across all interactions.

HIGH Skill instructs agent to pass user content to shell without sanitization -30

The Implementation section directs the agent to execute shell scripts with raw user input as arguments: bash /root/clawd/skills/supermemory/scripts/add-memory.sh "content". No guidance is given on sanitizing the content parameter, creating an injection vector.

MEDIUM All user queries sent to third-party API without consent flow -15

Search and chat operations send user queries to api.supermemory.ai/v3/search with no user confirmation step. Any question asked through the skill is transmitted to an external service the user has no relationship with.

MEDIUM Outbound TLS connection during install phase -30

Network monitoring captured a TLS connection to 216.150.1.1:443 during the install phase. While this may be related to the clawhub registry, it represents network activity during what should be a local file operation.

LOW Scripts reference hardcoded absolute paths -20

SKILL.md references /root/clawd/skills/supermemory/scripts/ as the execution path, suggesting the skill expects root-level access and a specific filesystem layout. This path won't match the actual install location.