Security Audit

agent-memory-ultimate

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

agent-memory-ultimate received a trust score of 62/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 1 critical, 1 high, 2 medium, and 1 low severity. Key findings include Node lockfile missing, Direct SQL Execution via 'exec' tool and 'query.py', Access to WhatsApp Credential Store.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 41/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

98%

LLM Behavioral Safety

41%

Behavioral Risk Signals

Filesystem Write

5 findings

Shell Execution

3 findings

Dynamic Code

2 findings

Excessive Permissions

3 findings

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	Direct SQL Execution via 'exec' tool and 'query.py' The skill explicitly states that 'OpenClaw agents can execute SQL directly via the `exec` tool'. Furthermore, the `scripts/query.py` file contains a `cmd_sql` function that directly executes arbitrary SQL queries provided as an argument (`conn.execute(query)`). If an agent processes untrusted input and passes it to this function or the `exec` tool, it creates a severe SQL injection vulnerability, allowing an attacker to read, modify, or delete data in the `jarvis.db` database, or potentially execute other database commands. Implement strict input validation and sanitization for any SQL queries generated from untrusted input. Avoid direct execution of arbitrary SQL. Prefer parameterized queries or ORM methods. If direct SQL is necessary, ensure it's only used with trusted, internal logic.	LLM	SKILL.md:160
HIGH	Access to WhatsApp Credential Store The `scripts/sync_whatsapp.py` script directly accesses a file located in a credentials directory: `~/.openclaw/credentials/whatsapp/default/baileys_store_multi.json`. This file likely contains sensitive session tokens or other authentication data for WhatsApp. While the script's purpose is to process this data, its direct access to a credential store represents a high risk. If this script or the agent executing it were compromised, an attacker could exfiltrate these credentials, leading to unauthorized access to the user's WhatsApp account. Isolate credential access to a dedicated, highly secured component. Ensure that the script only reads the necessary data and does not expose the full credential file. Implement robust access controls and monitoring for any operations involving credential files.	LLM	scripts/sync_whatsapp.py:7
MEDIUM	Broad Filesystem and Data Access The skill is designed to read, write, and process a wide range of personal and sensitive data, including contacts (VCF, WhatsApp), chat history (WhatsApp, ChatGPT), and various markdown documents (daily logs, long-term memory, user profiles). This involves extensive filesystem access across `db/`, `bank/`, `memory/`, `chatgpt-export/`, and `~/.openclaw/credentials/`. While necessary for the skill's functionality, this broad access creates a large attack surface. A compromised agent or skill could lead to unauthorized reading, modification, or deletion of sensitive user data, including the `rm db/agent.db` command mentioned in the `SKILL.md`. Implement granular access controls where possible, limiting file access to only what is strictly necessary for each sub-component. Regularly audit the scope of filesystem operations. Encrypt sensitive data at rest. Ensure that file deletion capabilities are protected by strong authorization checks.	LLM	SKILL.md:190
MEDIUM	Prompt Injection via Memory Files The skill's 'wake up' routine instructs the agent to read `SOUL.md`, `USER.md`, `memory/YYYY-MM-DD.md`, and `MEMORY.md` to establish context. This design pattern makes the agent susceptible to prompt injection. If an attacker can gain write access to any of these memory files (e.g., through a compromised skill, direct filesystem access, or a vulnerability in a file-writing operation), they could inject malicious instructions into the agent's operational context, potentially manipulating its behavior or exfiltrating data. Implement robust integrity checks and access controls for memory files. Consider signing or hashing memory content to detect tampering. Isolate the parsing of memory content from the execution of instructions. Treat content from memory files as potentially untrusted, especially if it originates from or can be influenced by external sources.	LLM	SKILL.md:204
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/globalcaos/agent-memory-ultimate/package.json

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/98efcb12f4b02d8f.svg)](https://skillshield.io/report/98efcb12f4b02d8f)