Security Audit

secure-memory-stack

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

secure-memory-stack received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 6 findings: 2 critical, 1 high, 2 medium, and 1 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, Unsanitized user input in `python3 -c` leads to shell command injection.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

91%

LLM Behavioral Safety

18%

Behavioral Risk Signals

Filesystem Write

3 findings

Shell Execution

4 findings

Dynamic Code

3 findings

Excessive Permissions

3 findings

Security Findings6

Severity	Finding	Layer	Location
CRITICAL	Unsanitized user input in `python3 -c` leads to shell command injection The `scripts/search.sh` script takes user input `$QUERY` and directly embeds it into a `python3 -c` command string, enclosed in single quotes. An attacker can inject arbitrary Python code by crafting a `$QUERY` that breaks out of the single quotes (e.g., `'; import os; os.system("rm -rf /"); '`), allowing them to execute shell commands with the privileges of the skill. The `$QUERY` variable must be properly sanitized or passed as an argument to the Python script, rather than directly embedded in the `python3 -c` string. A safer approach would be to pass the query as a command-line argument to a Python script that then uses `sys.argv`, or to escape all single quotes within `$QUERY` before embedding.	LLM	scripts/search.sh:20
CRITICAL	Unsanitized user input in `cp -r` command during restore operation The `memory_maintenance.sh` script's `restore` action takes a user-provided backup directory path (`$2`, assigned to `BACKUP_PATH`). This variable is then directly used in `cp -r "$BACKUP_PATH/memory" /root/clawd/`. An attacker can craft a malicious `BACKUP_PATH` containing shell metacharacters (e.g., `;`, `\|`, `&`, `$(...)`) to execute arbitrary commands with the privileges of the skill. The `BACKUP_PATH` variable must be strictly validated to ensure it is a safe directory path and does not contain any shell metacharacters. Alternatively, use a safer method for copying files that does not involve direct shell command execution with user input, or ensure the path is properly escaped for shell interpretation.	LLM	memory_maintenance.sh:40
HIGH	Unsanitized user input in JSON string passed to Python script The `scripts/remember.sh` script takes user input `$CONTENT` and embeds it directly into a JSON string `{"content": "$CONTENT"}` which is then passed as an argument to a Python script. If `$CONTENT` contains double quotes (`"`) or backslashes (`\`), it can break the JSON structure. This could lead to JSON injection, where an attacker manipulates the JSON payload. Depending on how the Python script `git-notes-memory/memory.py` processes this JSON, it could potentially lead to further vulnerabilities, including command injection if the Python script uses `eval` or `exec` on parsed JSON values. The `$CONTENT` variable must be properly escaped for JSON before being embedded into the string. This typically involves escaping double quotes, backslashes, and control characters. A more robust solution would be to pass the content as a separate argument to the Python script and let the Python script construct the JSON safely.	LLM	scripts/remember.sh:24
MEDIUM	Unpinned npm dependency version Dependency 'memory-baidu-embedding-db' is not pinned to an exact version ('^1.0.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk.	Dependencies	skills/xqicxx/secure-memory-stack/package.json
MEDIUM	Skill operates with high privileges in `/root/clawd` directory The skill consistently uses `/root/clawd` as its primary workspace for configuration files, data, and scripts. This implies that the skill is designed to run with root privileges or has full write access to this sensitive directory. While this might be the intended operating environment for `clawd` skills, it significantly amplifies the impact of any other vulnerability (e.g., command injection), as an attacker could gain root-level control over the system. If possible, redesign the skill to operate with least privilege, using a dedicated non-root user and a less sensitive working directory. If root access to `/root/clawd` is strictly necessary, ensure all user inputs are meticulously sanitized and validated to prevent privilege escalation through other vulnerabilities.	LLM	scripts/setup.sh:1
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/xqicxx/secure-memory-stack/package.json

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/7c6499841d60d4ab.svg)](https://skillshield.io/report/7c6499841d60d4ab)