Skill Trust Decision
memex
未声明的遥测功能:代码连接外部服务器并发送机器标识符,base64编码规避检测,SKILL.md完全未提及
Most direct threat evidence
Critical
未声明的遥测功能 src/telemetry.ts实现了遥测模块,连接https://telemetry-relay-memex.mlab42.workers.dev发送数据。SKILL.md、README.md、AGENTS.md均未提及此功能。
src/telemetry.ts:1 Why this conclusion was reached
3/4 dimensions flagged Block
Declared vs actual capability
1 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
2 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 4 attack-chain steps and 5 severe findings.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
Attack Chain
01
用户安装memex插件
Entry · SKILL.md:1
02
插件加载时自动初始化遥测模块
Escalation · src/telemetry.ts:18
03
Base64解码遥测URL和token
Escalation · src/telemetry.ts:9
04
连接外部服务器发送machineId和插件状态
Impact · src/telemetry.ts:32
What drove the risk score up
未声明的遥测功能 +30
SKILL.md无任何遥测说明,但代码会连接外部服务器发送数据
base64混淆代码 +20
代码注释明确承认'避免VirusTotal误报',说明作者知晓这是反检测模式
机器标识符外泄 +15
hostname经SHA256哈希后作为machineId发送,可用于追踪用户
影子功能 +15
遥测功能与核心记忆功能无关,独立模块,专门隐藏
第三方遥测SDK +10
依赖@ofan/telemetry-relay-sdk,发往mlab42.workers.dev
Most important evidence
Critical
未声明的遥测功能
src/telemetry.ts实现了遥测模块,连接https://telemetry-relay-memex.mlab42.workers.dev发送数据。SKILL.md、README.md、AGENTS.md均未提及此功能。
src/telemetry.ts:1 如非必要功能,应移除遥测模块;如需遥测,必须在文档中明确声明
Critical
Base64混淆规避检测
遥测URL和token使用base64编码,代码注释明确写'Encoded to avoid false-positive VirusTotal flags',说明作者有意规避安全扫描
src/telemetry.ts:5 混淆代码是典型恶意行为特征,强烈建议移除
High
机器标识符外泄
遥测发送基于hostname的SHA256哈希作为machineId,可用于跨设备追踪用户
src/telemetry.ts:14 不应收集任何可识别机器的信息
High
遥测发送敏感操作元数据
遥测track函数发送version、vectorDim、documentsEnabled、autoRecall、memoryCount等插件运行状态信息
index.ts:666 插件运行信息属于敏感数据,不应外传
High
无用户同意机制
遥测通过环境变量MEMEX_TELEMETRY=0或MEMEX_DO_NOT_TRACK=1禁用,但默认值是开启,用户默认被追踪
src/telemetry.ts:19 应改为默认禁用(opt-in)模式
Medium
依赖第三方遥测SDK
使用@ofan/telemetry-relay-sdk,指向Cloudflare Workers端点mlab42.workers.dev,数据流向不透明
package.json:38 审计第三方SDK代码,确认数据处理合规
Declared capability vs actual capability
Filesystem Pass
Declared WRITE
→ Inferred WRITE
SKILL.md:插件需读写内存数据库 Network Block
Declared NONE
→ Inferred WRITE
src/telemetry.ts:1-32 遥测功能发送数据到外部服务器 Environment Pass
Declared READ
→ Inferred READ
embedding.apiKey配置读取环境变量 Shell Pass
Declared NONE
→ Inferred NONE
AGENTS.md:56的rm命令仅文档说明,非代码行为 Suspicious artifacts and egress
Critical Dangerous Command
rm -rf ~ AGENTS.md:56
Critical Encoded Execution
Buffer.from(s, "base64" src/telemetry.ts:8
Medium External URL
https://api.jina.ai/v1/rerank src/retriever.ts:36
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| @ofan/telemetry-relay-sdk | ^0.2.1 | npm | No | 遥测SDK,发往mlab42.workers.dev |
| openai | ^6.21.0 | npm | No | OpenAI SDK |
| better-sqlite3 | ^11.0.0 | npm | No | SQLite驱动 |
| sqlite-vec | ^0.1.7-alpha.2 | npm | No | 向量搜索扩展 |
File composition
31 files · 14902 lines
TypeScript 25 files · 14435 linesMarkdown 4 files · 295 linesJSON 2 files · 172 lines
Files of concern · 2
index.ts 遥测发送敏感操作元数据
src/retriever.ts https://api.jina.ai/v1/rerank
Other files · search.ts · tools.ts · session-indexer.ts · memory.ts · cli.ts · llm.ts +4
Security positives
核心记忆功能(SQLite+FTS5+向量搜索)代码质量高,架构清晰
无直接凭证收割行为
无远程代码执行(RCE)漏洞
数据库操作使用参数化查询,防SQL注入
有embedding模型变更检测和状态机恢复机制