Trust Assessment
vector-memory received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 15 findings: 10 critical, 1 high, 2 medium, and 2 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Remote code execution: curl/wget pipe to shell.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings15
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/bluepointdigital/vector-memory/vector-memory/memory.js:23 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/bluepointdigital/vector-memory/vector-memory/memory.js:82 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/bluepointdigital/vector-memory/vector-memory/memory.js:101 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/bluepointdigital/vector-memory/vector-memory/smart_memory.js:97 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/bluepointdigital/vector-memory/vector-memory/smart_memory.js:178 | |
| CRITICAL | Arbitrary command execution Remote code download piped to interpreter Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/bluepointdigital/vector-memory/install.sh:3 | |
| CRITICAL | Remote code execution: curl/wget pipe to shell Detected a pattern that downloads and immediately executes remote code. This is a primary malware delivery vector. Never pipe curl/wget output directly to a shell interpreter. | Static | skills/bluepointdigital/vector-memory/install.sh:3 | |
| CRITICAL | Arbitrary File Read via memoryGet The `memoryGet` function in both `smart_memory.js` and `memory.js` constructs a file path using `path.join(WORKSPACE, filePath)`. If the `filePath` parameter, which is user-controlled, is an absolute path (e.g., `/etc/passwd`) or contains directory traversal sequences (e.g., `../../`), `path.join` will resolve to a path outside the intended `WORKSPACE` directory. This allows an attacker to read arbitrary files on the system, leading to data exfiltration. Before constructing the `fullPath`, validate the `filePath` parameter. Ensure it is a relative path and does not contain directory traversal sequences (`..`). A robust solution would be to resolve the path and then verify that the resolved path remains within the `WORKSPACE` directory. For example: ```javascript const resolvedPath = path.resolve(WORKSPACE, filePath); if (!resolvedPath.startsWith(WORKSPACE + path.sep) && resolvedPath !== WORKSPACE) { throw new Error('Access denied: Invalid file path.'); } const fullPath = resolvedPath; ``` | LLM | vector-memory/smart_memory.js:150 | |
| CRITICAL | Arbitrary File Read via memoryGet The `memoryGet` function in both `smart_memory.js` and `memory.js` constructs a file path using `path.join(WORKSPACE, filePath)`. If the `filePath` parameter, which is user-controlled, is an absolute path (e.g., `/etc/passwd`) or contains directory traversal sequences (e.g., `../../`), `path.join` will resolve to a path outside the intended `WORKSPACE` directory. This allows an attacker to read arbitrary files on the system, leading to data exfiltration. Before constructing the `fullPath`, validate the `filePath` parameter. Ensure it is a relative path and does not contain directory traversal sequences (`..`). A robust solution would be to resolve the path and then verify that the resolved path remains within the `WORKSPACE` directory. For example: ```javascript const resolvedPath = path.resolve(WORKSPACE, filePath); if (!resolvedPath.startsWith(WORKSPACE + path.sep) && resolvedPath !== WORKSPACE) { throw new Error('Access denied: Invalid file path.'); } const fullPath = resolvedPath; ``` | LLM | vector-memory/memory.js:50 | |
| CRITICAL | Untrusted Repository URL in install.sh The `install.sh` script contains a placeholder `REPO_URL="https://github.com/YOUR_USERNAME/vector-memory-openclaw"`. If this script is used for installation as-is, it will attempt to clone code from an undefined and potentially malicious GitHub repository. This poses a severe supply chain risk, as the source of the installed code is not guaranteed. Replace `YOUR_USERNAME` with the actual, trusted GitHub username for the repository. If this script is intended for distribution via ClawHub, it should be removed or modified to reflect the actual distribution mechanism, as ClawHub typically handles fetching trusted skill packages directly. | LLM | install.sh:38 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/bluepointdigital/vector-memory/vector-memory/memory.js:6 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/bluepointdigital/vector-memory/install.sh:11 | |
| MEDIUM | Unpinned npm dependency version Dependency '@xenova/transformers' is not pinned to an exact version ('^2.17.2'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/bluepointdigital/vector-memory/vector-memory/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/bluepointdigital/vector-memory/vector-memory/package.json | |
| LOW | Caret Dependency in package.json The `package.json` specifies `@xenova/transformers` with a caret (`^`) version range (`^2.17.2`). While common, this allows minor and patch updates, which could potentially introduce breaking changes or, in rare cases, vulnerabilities if a malicious minor version is published. Pinning exact versions or using a lock file provides stronger supply chain integrity. Consider pinning the exact version of `@xenova/transformers` (e.g., `"2.17.2"`) to ensure deterministic builds and prevent unexpected changes from minor version updates. Ensure `package-lock.json` is committed and used for dependency resolution. | LLM | vector-memory/package.json:6 |
Scan History
Embed Code
[](https://skillshield.io/report/ae9ffc888d169991)
Powered by SkillShield