Trust Assessment
hexmem received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 17 findings: 4 critical, 4 high, 9 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Sensitive environment variable access: $HOME, Persistence mechanism: Crontab modification.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings17
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/santyr/skill-hexmem/SKILL.md:402 | |
| CRITICAL | Chained Command/SQL Injection and Unquoted Variable Expansion in vault-backup.sh The `scripts/vault-backup.sh` script is vulnerable to multiple command and SQL injection issues:
1. It calls `scripts/backup.sh` and `scripts/export-significant.sh`, inheriting their respective command and SQL injection vulnerabilities.
2. It uses the output paths (`$BACKUP_FILE`, `$EXPORT_FILE`) from these scripts directly in `sha256sum` and `cp` commands without proper shell escaping. If these paths contain shell metacharacters (e.g., `malicious_file; rm -rf /;`), it could lead to arbitrary command execution. Address the underlying vulnerabilities in `backup.sh` and `export-significant.sh`. Ensure all variables derived from external input or script output are properly quoted and escaped for shell metacharacters before being used in subsequent commands. Avoid parsing script output for file paths; instead, have scripts return canonical, safe paths. | LLM | scripts/vault-backup.sh:49 | |
| CRITICAL | Command Injection in clawdbot-hook/handler.js via `shell: true` and insufficient escaping The `runCommand` function in `clawdbot-hook/handler.js` uses `child_process.spawn` with `shell: true`. The `logEventToHexMem` and `queueForEmbedding` functions construct SQL strings by only escaping single quotes (`replace(/'/g, "''")`) for `summary`, `details`, and `text_to_embed`. This escaping is insufficient to prevent shell metacharacters (e.g., backticks, semicolons, `$(...)`) from being interpreted by the shell when `sqlite3` is executed. An attacker controlling the content of `summary`, `details`, or `text` could execute arbitrary shell commands. Avoid `shell: true` when executing external commands with user-controlled input. If `shell: true` is strictly necessary, ensure all arguments passed to the command are rigorously sanitized and escaped for *shell* metacharacters, not just SQL string literals. Alternatively, use a dedicated SQLite library in Node.js (e.g., `sqlite3` npm package) with parameterized queries, which is much safer than shelling out to `sqlite3`. | LLM | clawdbot-hook/handler.js:100 | |
| CRITICAL | Command Injection in hexmem.sh core functions via insufficient escaping The `hexmem_query`, `hexmem_select`, and `hexmem_json` functions (and all functions that use them, such as `hexmem_entity`, `hexmem_fact`, etc.) are vulnerable to command injection. The `hexmem_sql_escape` function only escapes single quotes for SQL string literals, but does not escape shell metacharacters. When SQL strings are constructed with user-controlled input and then passed as arguments to `sqlite3` within a shell context, shell metacharacters in the user input are not escaped and can be interpreted by the shell, leading to arbitrary command execution. The `hexmem_sql_escape` function is insufficient for shell command arguments. Instead of constructing SQL strings with user input and passing them to `sqlite3` via shell, use `sqlite3`'s built-in support for parameterized queries (e.g., `sqlite3 "$HEXMEM_DB" "SELECT * FROM table WHERE col = ?" "$user_input"`). This separates the SQL command from the data, preventing injection. Alternatively, implement robust shell escaping for all user-controlled variables before they are used in command arguments. | LLM | hexmem.sh:14 | |
| HIGH | Persistence mechanism: Crontab modification Detected Crontab modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/santyr/skill-hexmem/SKILL.md:402 | |
| HIGH | Command Injection via unsanitized arguments in backup.sh The `scripts/backup.sh` script directly uses command-line arguments `--db` and `--outdir` without proper sanitization when constructing the `sqlite3` command. An attacker able to control these arguments could inject arbitrary shell commands or SQL into the `sqlite3` execution. Sanitize or validate all user-provided arguments (`$DB`, `$OUTDIR`) before using them in shell commands. Prefer using `sqlite3`'s built-in backup API directly from a Python script with parameterized arguments, or ensure shell arguments are properly quoted and escaped for shell metacharacters, not just SQL string literals. | LLM | scripts/backup.sh:26 | |
| HIGH | SQL Injection via HEXMEM_EXPORT_SINCE_HOURS in export-significant.sh The `scripts/export-significant.sh` script directly interpolates the `SINCE_HOURS` environment variable into an SQL query. An attacker controlling `HEXMEM_EXPORT_SINCE_HOURS` can inject arbitrary SQL, potentially leading to data exfiltration, modification, or deletion. Use parameterized queries for all SQL statements. If using `sqlite3` from the command line, pass variables as separate arguments to be bound, or strictly validate and sanitize input to ensure it only contains expected numeric values. | LLM | scripts/export-significant.sh:16 | |
| HIGH | SQL Injection via DAYS_BACK in hex-reflect.sh The `scripts/hex-reflect.sh` script directly interpolates the `DAYS_BACK` variable (derived from command-line argument) into an SQL query. An attacker controlling the `--days` argument can inject arbitrary SQL, potentially leading to data exfiltration, modification, or deletion. Use parameterized queries for all SQL statements. If using `sqlite3` from the command line, pass variables as separate arguments to be bound, or strictly validate and sanitize input to ensure it only contains expected numeric values. | LLM | scripts/hex-reflect.sh:61 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/santyr/skill-hexmem/SKILL.md:29 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/santyr/skill-hexmem/hexmem.sh:5 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/santyr/skill-hexmem/migrate.sh:8 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/santyr/skill-hexmem/scripts/backup.sh:7 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/santyr/skill-hexmem/scripts/create-hexmem-vault.sh:15 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/santyr/skill-hexmem/scripts/export-significant.sh:7 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/santyr/skill-hexmem/scripts/sign-repo.sh:8 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/santyr/skill-hexmem/scripts/vault-backup.sh:11 | |
| MEDIUM | Unpinned Python dependency version Requirement 'PyYAML>=6.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/santyr/skill-hexmem/requirements.txt:4 |
Scan History
Embed Code
[](https://skillshield.io/report/48fe5abc5d4e16d6)
Powered by SkillShield