Trust Assessment
surrealdb-knowledge-graph-memory received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 55 findings: 23 critical, 20 high, 11 medium, and 1 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings55
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/web-ui.py:59 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/web-ui.py:265 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/web-ui.py:272 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/web-ui.py:279 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/web-ui.py:300 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/web-ui.py:321 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/web-ui.py:352 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/clawdbot-integration/gateway/memory.ts:238 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/install.sh:34 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/install.sh:40 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/web-ui.py:273 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/web-ui.py:280 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/extract-knowledge.py:244 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/extract-knowledge.py:289 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/extract-knowledge.py:946 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/knowledge-tool.py:36 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/knowledge-tools.py:70 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/knowledge-tools.py:393 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/mcp-server.py:73 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/memory-cli.py:115 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/install.sh:34 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/install.sh:40 | |
| CRITICAL | Unsafe Network Installer (curl | sh) The skill executes 'curl https://install.surrealdb.com | sh' to install SurrealDB. This practice is highly dangerous as it downloads and executes arbitrary code from the internet, posing a severe command injection and supply chain risk. A malicious actor could compromise the SurrealDB installation script, leading to arbitrary code execution on the host system with the privileges of the skill. Avoid 'curl | sh' for installation. Instead, recommend manual installation from official sources, use a package manager (like Homebrew as shown for macOS), or verify the script's content before execution. If automated installation is necessary, download the script, review it, and then execute it, or use a trusted, signed package. | LLM | scripts/install.sh:48 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/extract-knowledge.py:244 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/extract-knowledge.py:289 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/extract-knowledge.py:946 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/knowledge-tool.py:36 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/knowledge-tools.py:70 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/knowledge-tools.py:393 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/mcp-server.py:73 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/memory-cli.py:115 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'install_python_deps'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/web-ui.py:300 | |
| HIGH | Dangerous call: subprocess.Popen() Call to 'subprocess.Popen()' detected in function 'start_surrealdb'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/web-ui.py:321 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'init_schema'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/web-ui.py:352 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'check_surrealdb_installed'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/web-ui.py:59 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'install_surrealdb'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/web-ui.py:265 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'install_surrealdb'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/web-ui.py:272 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'install_surrealdb'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/web-ui.py:279 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/init-db.sh:33 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/install.sh:88 | |
| HIGH | Source Code Patching via sed -i The 'integrate-clawdbot.sh' script uses 'sed -i' to modify core Clawdbot source files. This is a command injection risk as 'sed' commands can be complex and potentially misused, and it grants excessive permissions by altering the host application's code. A vulnerability in the sed commands or an unexpected input could lead to unintended modifications or arbitrary code execution. This also represents an excessive permission as it modifies the host application's source code. Avoid direct modification of host application source files. Instead, provide clear instructions for manual integration, or use a plugin/extension system that allows for safe, sandboxed modifications. If patching is unavoidable, ensure the 'sed' commands are thoroughly reviewed and inputs are strictly controlled. | LLM | scripts/integrate-clawdbot.sh:70 | |
| HIGH | Hardcoded Default Credentials (root/root) Multiple scripts and configuration examples use hardcoded default credentials ('root' for username and 'root' for password) for SurrealDB. While the skill documentation warns about changing these, their presence as defaults in executable scripts and configuration files creates a significant security vulnerability. If these are not changed, any attacker gaining access to the system or network could easily compromise the SurrealDB instance. Remove hardcoded default credentials from all scripts and configuration files. Force users to provide credentials via environment variables, secure configuration files, or a secure prompt during setup. Implement robust credential management practices and ensure the database is bound to localhost only by default. | LLM | scripts/extract-knowledge.py:30 | |
| HIGH | Sensitive Data Sent to External LLM API The skill explicitly states and implements sending extracted knowledge from user's memory files (e.g., MEMORY.md, memory/*.md) to the OpenAI API for embeddings and LLM-powered extraction. This constitutes a data exfiltration risk, as potentially sensitive or private user data is transmitted to a third-party service. While this is a core function, users must be fully aware of this data sharing. Clearly inform users about the data being sent to external APIs and provide options to disable this functionality or use local/private LLM models if available. Implement strict data minimization, sending only necessary information. Ensure the OpenAI API key used has minimal permissions and is securely managed (e.g., environment variable, not hardcoded). | LLM | scripts/extract-knowledge.py:139 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/web-ui.py:6 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/maverick-software/surrealdb-knowledge-graph-memory/SKILL.md:1 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/web-ui.py:74 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/init-db.sh:43 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/install.sh:67 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/integrate-clawdbot.sh:26 | |
| MEDIUM | Unpinned Python dependency version Requirement 'surrealdb>=0.3.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'openai>=1.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pyyaml>=6.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/maverick-software/surrealdb-knowledge-graph-memory/scripts/requirements.txt:3 | |
| MEDIUM | Loosely Pinned Python Dependencies The 'requirements.txt' file specifies Python dependencies using loose version pinning (e.g., 'surrealdb>=0.3.0'). This allows for automatic updates to newer versions, which could introduce breaking changes, vulnerabilities, or even malicious code if a package maintainer's account is compromised. While '>=X.Y.Z' is better than no pinning, exact pinning ('==X.Y.Z') is recommended for production environments to ensure reproducibility and security. Pin all Python dependencies to exact versions (e.g., 'surrealdb==0.3.0') in 'requirements.txt'. Regularly review and update these pins to incorporate security patches and new features, but do so intentionally after verification. | LLM | scripts/requirements.txt:1 | |
| MEDIUM | Broad Filesystem Access to User Home Directory Multiple Python scripts access and create files within the user's home directory, specifically in '~/.clawdbot/memory/' and '~/clawd'. While this is for legitimate data storage and workspace access, it represents broad filesystem permissions. If the skill is compromised, an attacker could potentially read, write, or delete arbitrary files within these directories, or potentially other parts of the user's home directory if paths are not strictly controlled. Limit filesystem access to the absolute minimum necessary. Use a dedicated, isolated data directory for the skill that is not directly within the user's general home directory. Implement strict validation for any file paths derived from user input or external sources. | LLM | scripts/extract-knowledge.py:19 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/maverick-software/surrealdb-knowledge-graph-memory/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/5830fc9edfe848c9)
Powered by SkillShield