Trust Assessment
memory-mastery received a trust score of 54/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 0 critical, 1 high, 5 medium, and 0 low severity. Key findings include Missing required field: name, Sensitive environment variable access: $HOME, Potential Credential Harvesting/Data Exfiltration in Maintenance Script.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Credential Harvesting/Data Exfiltration in Maintenance Script The `scripts/maintenance.sh` script explicitly searches for and prints lines containing keywords such as 'password', 'token', and 'API' from the user's daily logs. If these logs inadvertently contain sensitive credentials, this script will expose them to standard output, where they could be captured by an LLM or other processes. This poses a direct risk of credential harvesting or sensitive data exfiltration. Remove credential-related keywords (e.g., 'password', 'token', 'API') from the `grep` patterns in `scripts/maintenance.sh`. Alternatively, implement redaction or masking of sensitive patterns before printing the output, or add a prominent warning to the user about logging sensitive information and the script's behavior. | LLM | scripts/maintenance.sh:79 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/koatora20/memory-mastery/SKILL.md:1 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/koatora20/memory-mastery/scripts/audit.sh:9 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/koatora20/memory-mastery/scripts/maintenance.sh:8 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/koatora20/memory-mastery/scripts/setup.sh:9 | |
| MEDIUM | Excessive Filesystem Permissions in Setup Script The `scripts/setup.sh` script allows the `WORKSPACE` path to be specified by an argument or environment variable without validation. This enables the script to create directories (`memory/`), create/overwrite files (`MEMORY.md`), and append to files (`AGENTS.md`, `HEARTBEAT.md`) in an arbitrary location on the filesystem. If an attacker can control the `WORKSPACE` variable, this could lead to unauthorized file modifications, data loss, or denial of service in critical system directories. Implement path validation in `scripts/setup.sh` to ensure the `WORKSPACE` argument is restricted to an expected, sandboxed, or user-approved directory (e.g., within `$HOME/.openclaw/workspace`). Avoid allowing arbitrary filesystem writes based on unvalidated user input. | LLM | scripts/setup.sh:7 |
Scan History
Embed Code
[](https://skillshield.io/report/74b8532095ded56b)
Powered by SkillShield