Memory Workflow 安全扫描报告 — 可疑 | ClawSafe

55 /100

Memory Workflow

三层存储记忆工作流，支持文件/FTS5/KG/Milvus搜索

Memory workflow skill has undeclared network exfiltration behavior: user memory content is sent to an external Ollama LLM service (scripts/store.py:extract_triples_via_llm) without disclosure in SKILL.md, combined with hardcoded Docker bridge IPs as service endpoints.

技能名称Memory Workflow

分析耗时67.3s

引擎pi

⚠

谨慎使用

Either (1) document the Ollama LLM call and data transmission in SKILL.md, or (2) remove the external LLM dependency and rely solely on rule-based extraction. Consider making service endpoints configurable via environment variables with explicit user consent.

攻击链 4 步

◎

入口 User stores memory content via MemoryStore tool

scripts/store.py:110

⬡

提权 store_memory() calls extract_triples_via_llm() with user content

scripts/store.py:130

◉

影响 Content POSTed to OLLAMA_URL (default: host.docker.internal:11434) for LLM processing — exfiltrated outside skill sandbox

scripts/store.py:94

◉

影响 get_embedding() sends same content to EMBEDDING_URL (default: 172.17.0.1:18779)

scripts/store.py:170

安全发现 6 项

严重性	安全发现	位置
高危	Undeclared LLM data transmission 数据外泄 extract_triples_via_llm() in store.py sends user memory content to an external Ollama LLM endpoint (OLLAMA_URL, defaulting to host.docker.internal:11434) for entity/relation extraction. This external network call is not declared anywhere in SKILL.md, which only mentions 'Ollama (可选)' as a KG dependency without explaining that user content is transmitted. `req = Request(OLLAMA_URL + "/api/chat", data=data, headers={"Content-Type": "application/json"})` → Add explicit documentation in SKILL.md stating that user memory content may be sent to a user-configured Ollama endpoint for knowledge graph extraction. Alternatively, remove this feature and rely on rule-based extraction only.	`scripts/store.py:94`
高危	SKILL.md hides external service dependencies 文档欺骗 SKILL.md claims '三层存储架构' with file + FTS5 + KG + Milvus, but omits that KG extraction and embedding both require external HTTP calls. The embedding call to bge-m3 at 172.17.0.1:18779 sends all stored content over the network. `## 三层存储架构 \| 层级 \| 存储位置 \| 依赖 \| 说明 \| \|------\|----------\|------\|------\| \| KG \| ... \| Ollama（可选） \| 三元组知识图谱，规则降级 \|` → Document that Ollama and embedding services are external dependencies that receive user data over HTTP.	`SKILL.md:1`
高危	Hardcoded Docker bridge IP addresses as default service endpoints 敏感访问 config.py hardcodes 172.17.0.1 (the default Docker bridge gateway) as the default endpoint for rerank (18778) and embedding (18779) services. This is a suspicious default target as it enables exfiltration to the Docker host if those ports are open, without requiring explicit user configuration. `RERANK_SERVICE_URL = os.environ.get("RERANK_SERVICE_URL", "http://172.17.0.1:18778")` → Remove hardcoded IPs as defaults. Default to localhost or a service unavailable message, requiring explicit configuration for network services.	`scripts/config.py:12`
中危	Embedding API call sends all content to external service 数据外泄 get_embedding() in store.py POSTs all user memory content to EMBEDDING_URL (defaulting to http://172.17.0.1:18779/v1/embeddings) for vectorization before Milvus storage. This network call is not declared in the tool descriptions. `req = Request(EMBEDDING_URL, data=data, headers={"Content-Type": "application/json"})` → Document the embedding API call in SKILL.md or remove the embedding feature, relying on FTS5 only.	`scripts/store.py:170`
中危	Undeclared shell execution via subprocess 权限提升 BaseMemoryTool._run_op() uses subprocess.run() to execute memory_ops.py with arbitrary command arguments. This shell execution pattern is not declared in SKILL.md — only the tool names and descriptions are listed. Additionally, save_session.py independently uses subprocess without being exposed as a declared tool. `result = subprocess.run(cmd, capture_output=True, text=True, timeout=30, ...)` → Document that tools use subprocess internally, or refactor to import modules directly without shell invocation.	`scripts/tools.py:48`
低危	SKILL.md installation modifies AGENTS.md with shell commands 文档欺骗 SKILL.md instructs users to add bash command blocks to ~/.openclaw/workspace/AGENTS.md that pipe heredocs into python3 scripts. This is an unusual installation pattern that injects shell execution instructions into agent configuration. `Exec: python3 $HOME/.openclaw/workspace/skills/memory-workflow/memory_ops.py search --query ...` → Use a standard registration mechanism (e.g., a Python setup function) instead of modifying AGENTS.md with shell command strings.	`SKILL.md:12`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	scripts/store.py: writes to ~/.openclaw/workspace/memory-workflow-data/
网络访问	`NONE`	`WRITE`	✗ 越权	scripts/store.py:94 — sends content to OLLAMA_URL via urllib; scripts/store.py:1…
命令执行	`NONE`	`WRITE`	✗ 越权	scripts/tools.py:48 — subprocess.run executes memory_ops.py; scripts/save_sessio…
环境变量	`READ`	`READ`	✓ 一致	scripts/config.py:14-17, store.py:32-34 — reads OLLAMA_URL, MILVUS_HOST, etc.
技能调用	`WRITE`	`WRITE`	✓ 一致	SKILL.md declares 6 tool interfaces

1 高危 4 项发现

📡

高危 IP 地址硬编码 IP 地址

172.17.0.1

scripts/config.py:12

🔗

中危外部 URL 外部 URL

http://172.17.0.1:18778

scripts/config.py:12

🔗

中危外部 URL 外部 URL

http://172.17.0.1:18779/v1/embeddings

scripts/store.py:33

🔗

中危外部 URL 外部 URL

http://host.docker.internal:11434

scripts/store.py:37

目录结构

9 文件 · 50.3 KB · 1648 行

Python 7f · 1492L Markdown 2f · 156L

├─ ▾ 📁 scripts

│ ├─ 🐍 config.py Python 24L · 696 B

│ ├─ 🐍 fts5.py Python 228L · 6.6 KB

│ ├─ 🐍 save_session.py Python 57L · 1.6 KB

│ ├─ 🐍 search.py Python 186L · 5.4 KB

│ ├─ 🐍 store.py Python 370L · 11.9 KB

│ └─ 🐍 tools.py Python 250L · 7.7 KB

├─ 🐍 memory_ops.py Python 377L · 11.4 KB

├─ 📝 README.md Markdown 38L · 958 B

└─ 📝 SKILL.md Markdown 118L · 4.2 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`pymilvus`	`unpinned`	pip	否	Used for Milvus vector storage, imported conditionally
`jieba`	`unpinned`	pip	否	Chinese segmentation, imported conditionally
`urllib.request`	`stdlib`	Python	否	Used for HTTP calls to Ollama and embedding API

安全亮点

✓ No credential theft indicators — skill does not access ~/.ssh, ~/.aws, or .env files

✓ No obfuscation detected — no base64-encoded strings or anti-analysis patterns

✓ No reverse shell or C2 infrastructure — no suspicious outbound connections beyond documented API calls

✓ File operations are scoped to a dedicated memory data directory (~/.openclaw/workspace/memory-workflow-data/)

✓ Version pinning available for external dependencies (pymilvus in requirements would show versions)

✓ FTS5 and file storage work without external dependencies, matching documentation