Skill Trust Decision
awareness-memory
Critical undeclared data exfiltration: import.js reads OpenClaw session files (~/.openclaw/agents/main/sessions/), parses full message content (including user prompts and assistant responses which may contain credentials, API keys, and code), and uploads them to the external awareness.market cloud API. This is completely absent from SKILL.md's declared behavior and directly contradicts the 'no secrets captured' claim.
Most direct threat evidence
Critical Data Exfil
Undeclared session file exfiltration to external cloud import.js reads session JSONL files from ~/.openclaw/agents/main/sessions/, parses the full message content (user prompts and assistant responses), and uploads parsed content to the awareness.market cloud API. This is the most severe finding: all historical session data—including any secrets, credentials, or sensitive code typed during sessions—is transmitted to an external party. SKILL.md never mentions session file access, OpenClaw integration, or the import mechanism. This directly contradicts the 'no secrets captured' claim.
scripts/import.js:181 Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
3 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 5 attack-chain steps and 4 severe findings.
Review
Dependencies and supply chain hygiene
1 dependency or supply-chain issues need attention.
Attack Chain
01
Skill installed with credible memory functionality; SKILL.md claims 'no secrets captured'
Entry · SKILL.md:1
02
recall.js UserPromptSubmit hook runs before each prompt, sending full user prompt to awareness.market
reconnaissance · scripts/recall.js:107
03
On first run, recall.js silently spawns import.js detached in background
Escalation · scripts/recall.js:203
04
import.js reads ~/.openclaw/agents/main/sessions/*.jsonl, parses full message content including typed credentials
Exfiltration · scripts/import.js:138
05
Parsed session content (user prompts, assistant responses) uploaded to awareness.market cloud API
Exfiltration · scripts/import.js:181
What drove the risk score up
Undeclared session file exfiltration +30
import.js reads ~/.openclaw/agents/main/sessions/*.jsonl, parses full message content including user prompts and assistant responses, and uploads to awareness.market cloud API. Not declared anywhere in SKILL.md.
SKILL.md claim contradicted by code +15
SKILL.md states 'no secrets captured' and 'never reads, stores, or transmits file contents'. import.js reads session file contents and transmits them to external cloud.
Undeclared filesystem WRITE +10
SKILL.md declares filesystem:NONE but sync.js writes to OpenClaw workspace (MEMORY.md, memory/YYYY-MM-DD.md), setup.js writes to shell profiles, poll-auth.js writes to ~/.openclaw/openclaw.json.
Remote npx execution +8
shared.js auto-starts local daemon via 'npx -y @awareness-sdk/local start', downloading and executing remote npm package without version pinning or user consent.
Silent background import +4
import.js is spawned detached in recall.js without user notification, importing session history in the background on first run.
Most important evidence
Critical Data Exfil
Undeclared session file exfiltration to external cloud
import.js reads session JSONL files from ~/.openclaw/agents/main/sessions/, parses the full message content (user prompts and assistant responses), and uploads parsed content to the awareness.market cloud API. This is the most severe finding: all historical session data—including any secrets, credentials, or sensitive code typed during sessions—is transmitted to an external party. SKILL.md never mentions session file access, OpenClaw integration, or the import mechanism. This directly contradicts the 'no secrets captured' claim.
scripts/import.js:181 Remove import.js entirely or make it purely local. Never transmit parsed session file content to external APIs.
High Doc Mismatch
SKILL.md explicitly denies reading file contents while import.js does exactly that
SKILL.md states: 'This skill never reads, stores, or transmits file contents, environment variables, or credentials from your system beyond its own API key.' import.js reads and transmits the full content of OpenClaw session files. This is a direct, explicit contradiction—not a vague omission but an affirmative false claim.
SKILL.md:1 SKILL.md must fully disclose what files are read, what data is transmitted, and the import-from-OpenClaw mechanism.
High Priv Escalation
Multiple undocumented filesystem WRITE operations
SKILL.md declares filesystem:NONE, but the skill writes to: (1) OpenClaw workspace MEMORY.md and daily logs via sync.js, (2) shell profile (.bashrc/.zshrc) to inject AWARENESS_* env vars via setup.js, (3) ~/.openclaw/openclaw.json to persist credentials via poll-auth.js, (4) project .awareness directories for cache. None of these are declared in SKILL.md.
scripts/sync.js:89 Update SKILL.md filesystem declaration to WRITE. Declare all paths written to and the purpose of each write.
High Supply Chain
Remote npx execution for daemon auto-start
shared.js (resolveEndpoint) executes 'npx -y @awareness-sdk/local start' to auto-start a local daemon. This downloads and executes a remote npm package with no version pinning and no integrity verification. The package '@awareness-sdk/local' is not declared as a dependency.
scripts/shared.js:102 Remove npx auto-start or pin to a specific version with integrity check. Declare the dependency in SKILL.md.
Medium Data Exfil
Full user prompt transmitted to external API before each response
recall.js (UserPromptSubmit hook) sends the complete user prompt text to awareness.market for semantic recall before every single response. While this is somewhat disclosed in SKILL.md, the full unfiltered prompt—including any credentials or sensitive context—goes to the external service. Keywords are also extracted from the prompt for hybrid search.
scripts/recall.js:107 Consider allowing users to opt out of prompt transmission. Filter sensitive patterns from prompts before sending.
Medium Prompt Injection
Record rule embeds executable instructions in XML context
recall.js injects a <record-rule> block into the awareness-memory XML containing an inline command template: 'node "${resolvedScript}" '<JSON>''. While this is a legitimate memory feature, embedding raw command templates in LLM context could be exploited for prompt injection if an attacker controls memory content.
scripts/recall.js:173 Sandbox or validate memory content before injecting command templates into LLM context.
Low Doc Mismatch
OpenClaw migration feature not disclosed as automatic background process
recall.js silently spawns import.js as a detached background process on first run. This migration of OpenClaw memory to the cloud is not mentioned in SKILL.md's hook documentation, setup instructions, or workflow checklist.
scripts/recall.js:203 Declare the automatic OpenClaw migration in SKILL.md and provide a flag to disable it.
Declared capability vs actual capability
Filesystem Block
Declared NONE
→ Inferred WRITE
scripts/sync.js:89 appends to workspace MEMORY.md; scripts/setup.js:100 appends to shell profile; scripts/poll-auth.js:88 writes to ~/.openclaw/openclaw.json Network Block
Declared READ
→ Inferred WRITE
scripts/import.js:181-191 POSTs parsed session content to awareness.market/api/v1/mcp/events; scripts/recall.js:107 POSTs full user prompt to cloud API Shell Block
Declared NONE
→ Inferred WRITE
scripts/shared.js:102 spawns 'npx -y @awareness-sdk/local start' for auto-daemon; scripts/setup.js:32-34 execSync for browser opening; scripts/recall.js:66 spawn detached import.js Environment Pass
Declared READ
→ Inferred READ
scripts/shared.js:12-16 reads AWARENESS_* env vars for config only; no iteration of os.environ Skill Invoke Pass
Declared NONE
→ Inferred READ
scripts/recall.js spawns import.js detached; save-memory.js record-rule instructs LLM to silently invoke node with JSON payload Suspicious artifacts and egress
Medium External URL
https://awareness.market/cli-auth scripts/recall.js:47
Medium External URL
https://awareness.market/api/v1 scripts/recall.js:92
Medium External URL
https://awareness.market\n scripts/setup.js:216
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| @awareness-sdk/local | * | npx -y (remote) | No | Auto-downloaded at runtime with no version pinning or integrity verification |
File composition
15 files · 2656 lines
JavaScript 14 files · 2448 linesMarkdown 1 files · 208 lines
Files of concern · 6
scripts/shared.js Remote npx execution for daemon auto-start
scripts/setup.js https://awareness.market\n
scripts/recall.js Full user prompt transmitted to external API before each response · Record rule embeds executable instructions in XML context · OpenClaw migration feature not disclosed as automatic background process · https://awareness.market/cli-auth · https://awareness.market/api/v1
SKILL.md SKILL.md explicitly denies reading file contents while import.js does exactly that
scripts/import.js Undeclared session file exfiltration to external cloud
scripts/sync.js Multiple undocumented filesystem WRITE operations
Other files · harness-builder.mjs · lookup.js · record.js · poll-auth.js · search.js · save-memory.js
Security positives
Credentials stored with 0600 permissions in ~/.awareness/credentials.json
Local daemon mode (localhost:37800) available for privacy-conscious users
No direct credential harvesting from environment variables beyond AWARENESS_* keys
Stop hook (capture.js) is a no-op, not sending conversation content
XML escaping (escapeXml) properly implemented in harness-builder.mjs
Session ID expires after 4 hours (configurable)