Security Audit

vanar-neutron-memory

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

vanar-neutron-memory received a trust score of 30/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 10 findings: 5 critical, 0 high, 5 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Sensitive environment variable access: $USER, Command Injection via unescaped user input in curl -F argument.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

65%

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Network Access

5 findings

Shell Execution

10 findings

Dynamic Code

5 findings

Excessive Permissions

5 findings

Security Findings10

Severity	Finding	Layer	Location
CRITICAL	Command Injection via unescaped user input in curl -F argument The `hooks/post-tool-use.sh` script constructs a `curl` command where the `CONTENT` variable, derived from `OPENCLAW_USER_MESSAGE` and `OPENCLAW_AI_RESPONSE`, is directly embedded into a `-F "text=[\"${CONTENT}\"]"` argument. If `OPENCLAW_USER_MESSAGE` or `OPENCLAW_AI_RESPONSE` contains unescaped double quotes followed by shell metacharacters (e.g., `"; rm -rf /; echo "`), an attacker could inject arbitrary shell commands, leading to remote code execution. Properly escape all user-controlled input before embedding it into shell commands. For `curl -F`, consider writing the content to a temporary file and using `@filename` to pass it, or implement robust shell escaping for the content string. Alternatively, use a programming language with safe HTTP client libraries.	LLM	hooks/post-tool-use.sh:30
CRITICAL	Command Injection via unescaped user input in curl -d JSON payload The `hooks/pre-tool-use.sh` script constructs a `curl` command where the `USER_MESSAGE` variable, derived from `OPENCLAW_USER_MESSAGE`, is directly embedded into a JSON string within the `-d` argument: `"query":"${USER_MESSAGE}"`. If `OPENCLAW_USER_MESSAGE` contains unescaped double quotes or JSON metacharacters (e.g., `", "malicious_key":"injected_value"}` or `"; rm -rf /; echo "`), an attacker could manipulate the JSON payload or inject arbitrary shell commands, leading to remote code execution. Properly escape all user-controlled input before embedding it into JSON strings. Bash does not have a built-in JSON escaping function. Consider using `jq` to construct the JSON payload safely, or switch to a programming language with robust JSON serialization libraries. If sticking to bash, implement a custom JSON escaping function for the user input.	LLM	hooks/pre-tool-use.sh:32
CRITICAL	Command Injection via unescaped user input in `scripts/neutron-memory.sh` The `scripts/neutron-memory.sh` script is vulnerable to command injection in multiple commands (`save`, `search`, `context-create`) due to direct interpolation of user-provided arguments into `curl` commands without proper escaping. This allows an attacker to inject arbitrary shell commands or manipulate API requests. Implement robust input validation and escaping for all user-provided arguments (`text`, `title`, `query`, `agent_id`, `memory_type`, `data`, `metadata`) before they are used in `curl` commands. For `-F` arguments, consider using temporary files. For JSON payloads (`-d`), ensure all string values are properly JSON-escaped. Using a programming language with safe HTTP client libraries is highly recommended over manual shell scripting for such operations.	LLM	scripts/neutron-memory.sh:79
CRITICAL	Command Injection via unescaped user input in `scripts/neutron-memory.sh` The `scripts/neutron-memory.sh` script is vulnerable to command injection in multiple commands (`save`, `search`, `context-create`) due to direct interpolation of user-provided arguments into `curl` commands without proper escaping. This allows an attacker to inject arbitrary shell commands or manipulate API requests. Implement robust input validation and escaping for all user-provided arguments (`text`, `title`, `query`, `agent_id`, `memory_type`, `data`, `metadata`) before they are used in `curl` commands. For `-F` arguments, consider using temporary files. For JSON payloads (`-d`), ensure all string values are properly JSON-escaped. Using a programming language with safe HTTP client libraries is highly recommended over manual shell scripting for such operations.	LLM	scripts/neutron-memory.sh:91
CRITICAL	Command Injection via unescaped user input in `scripts/neutron-memory.sh` The `scripts/neutron-memory.sh` script is vulnerable to command injection in multiple commands (`save`, `search`, `context-create`) due to direct interpolation of user-provided arguments into `curl` commands without proper escaping. Specifically, `agent_id`, `memory_type`, `data`, and `metadata` are directly embedded into a JSON payload. If these inputs contain unescaped double quotes or shell metacharacters, an attacker could manipulate the JSON structure or inject arbitrary shell commands. Implement robust input validation and escaping for all user-provided arguments (`text`, `title`, `query`, `agent_id`, `memory_type`, `data`, `metadata`) before they are used in `curl` commands. For `-F` arguments, consider using temporary files. For JSON payloads (`-d`), ensure all string values are properly JSON-escaped. Using a programming language with safe HTTP client libraries is highly recommended over manual shell scripting for such operations.	LLM	scripts/neutron-memory.sh:107
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/naeemmaliki036/vanar-neutron-memory/hooks/post-tool-use.sh:9
MEDIUM	Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/naeemmaliki036/vanar-neutron-memory/hooks/post-tool-use.sh:26
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/naeemmaliki036/vanar-neutron-memory/hooks/pre-tool-use.sh:12
MEDIUM	Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/naeemmaliki036/vanar-neutron-memory/hooks/pre-tool-use.sh:33
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/naeemmaliki036/vanar-neutron-memory/scripts/neutron-memory.sh:5

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/2aad258a771f0262.svg)](https://skillshield.io/report/2aad258a771f0262)