openclaw-memory-auto Security Report — High Risk | ClawSafe

65 /100

openclaw-memory-auto

Automatic memory archiving and refinement plugin for OpenClaw AI agent

Skill contains hardcoded absolute Windows paths exposing user identity, undeclared PowerShell script execution, and credential-related keyword harvesting with plausible yet suspicious design patterns.

Skill Nameopenclaw-memory-auto

Duration59.0s

Enginepi

⛔

Do not install this skill

Do not deploy. Hardcoded user paths and undeclared shell execution present significant privacy and security risks. Request full source audit and remove hardcoded paths before any further evaluation.

Attack Chain 6 steps

◎

Entry Skill distributed as legitimate OpenClaw memory plugin via SKILL.md marketing

SKILL.md:1

⬡

Escalation Hardcoded Windows username path reveals user identity for targeting

index.js:62

⬡

Escalation spawns powershell.exe with ExecutionPolicy Bypass to run non-existent scripts

index.js:67

⬡

Escalation Extracts messages containing credential-adjacent keywords (password, token, key, secret, api, 密钥, 密码) from chat transcripts

src/archiver.ts:118

◉

Impact Stores credential-adjacent transcript snippets in plaintext memory/YYYY-MM-DD.md files

src/archiver.ts:108

⬡

Escalation Refinement feature (callAI stub) could be implemented to POST extracted credentials to external AI endpoint

src/refiner.ts:25

Findings 7 items

Severity	Finding	Location
High	Hardcoded Windows username path leaks user identity Priv Escalation index.js line 62 contains a hardcoded absolute path 'C:\Users\42517\.openclaw\agents\main\sessions' and test.js contains 'C:\Users\42517\.openclaw\workspace'. These expose the Windows username '42517' and indicate the developer built and tested the tool on a real user's machine, with that user's directory structure baked into the code. This pattern is consistent with credential-harvesting malware that probes known user paths. `const transcriptDir = 'C:\\Users\\42517\\.openclaw\\agents\\main\\sessions';` → Remove all hardcoded absolute paths. Use workspace-relative or env-var-based paths only.	`index.js:62`
High	Undeclared PowerShell execution with bypassed execution policy Doc Mismatch index.js spawns powershell.exe with arguments '-NoProfile', '-ExecutionPolicy', 'Bypass', and '-File' to run archive.ps1 and refine.ps1. Neither script exists in the repository. The -ExecutionPolicy Bypass flag explicitly bypasses PowerShell security policies. SKILL.md makes no mention of PowerShell scripts, external script execution, or Windows-specific behavior, instead describing the tool as 'Pure TypeScript'. This is a significant doc-to-code mismatch. `const ps = spawn('powershell.exe', psArgs, { stdio: 'inherit' });` → Either declare and include the PowerShell scripts, or remove the spawn entirely and perform all logic in Node.js/TypeScript.	`index.js:67`
High	Sensitive credential keywords used to extract transcript highlights Credential Theft src/defaults.ts contains a DEFAULT_KEYWORDS array including 'password', 'token', 'key', 'secret', 'api', '密钥', '密码', '账号'. These keywords are used by the archiver to extract 'highlights' from chat transcripts (src/archiver.ts:extractHighlights). The archiver reads all transcript files, filters for messages matching these keywords, and writes snippets to memory/YYYY-MM-DD.md. This means credentials, API keys, and secrets discussed in chat are extracted and stored in plaintext files without explicit user consent in SKILL.md. `'password', 'api', 'token', 'key', 'secret'` → Either remove sensitive credential keywords from defaults, or explicitly document and request consent for credential extraction in SKILL.md with a clear opt-in mechanism.	`src/defaults.ts:21`
Medium	SKILL.md claims zero config needed but hardcoded paths require config Doc Mismatch SKILL.md advertises 'Zero Configuration: Works out of the box with smart defaults' and 'Pure TypeScript, runs on Windows/Mac/Linux'. However, the actual code contains hardcoded Windows paths that will fail on any non-matching Windows machine or any non-Windows OS. The cross-platform claim is misleading. `Cross-Platform: Pure TypeScript, runs on Windows/Mac/Linux` → Update SKILL.md to accurately reflect platform requirements and remove cross-platform claims unless the hardcoded paths are replaced with dynamic detection.	`SKILL.md:1`
Medium	Dynamic fast-glob import with no actual usage Sensitive Access src/archiver.ts imports fast-glob but never calls it. Instead, it falls back to a hardcoded path join(workspace, 'agents', 'main', 'sessions'). The unused dynamic import pattern is sometimes used to evade static analysis tools. The fallback path still ignores the workspace parameter for agents other than 'main'. `import('fast-glob').then(fg => { // ... });` → Either implement proper glob usage or remove the import. Use workspace parameter consistently across all transcript paths.	`src/archiver.ts:94`
Low	No version pinning for dependencies Supply Chain package.json specifies dependencies without version pins: openclaw: '^0.5.0', @types/node: '^20', typescript: '^5'. This allows dependency updates that could introduce malicious code without the skill author's knowledge. `"openclaw": "^0.5.0"` → Pin all dependencies to exact versions (e.g., [email protected] without caret).	`package.json:24`
Low	External URL reference in keywords.json Doc Mismatch keywords.json line 2 references 'https://json.schemastore.org/default' for its JSON schema. While this is a legitimate schema store, fetching remote schemas during skill load could be leveraged for data exfiltration or tracking. `"$schema": "https://json.schemastore.org/default"` → Remove external schema reference or document the network access in SKILL.md.	`keywords.json:2`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`WRITE`	✗ Violation	src/archiver.ts:108 — fs.writeFile for daily logs + marker files; standalone-arc…
Network	`NONE`	`NONE`	—	refine.js / src/refiner.ts — callAI() stub exists with TODO comment, not yet imp…
Shell	`NONE`	`WRITE`	✗ Violation	index.js:67-71 — spawn('powershell.exe', psArgs) with -ExecutionPolicy Bypass
Environment	`NONE`	`READ`	✓ Aligned	Multiple files read process.env.OPENCLAW_WORKSPACE

2 findings

🔗

Medium External URL 外部 URL

https://clawhub.ai/skills/publish

PUBLISH.md:18

🔗

Medium External URL 外部 URL

https://json.schemastore.org/default

keywords.json:2

File Tree

24 files · 54.5 KB · 1836 lines

Markdown 6f · 798L TypeScript 8f · 518L JavaScript 5f · 410L JSON 3f · 88L Ignore 1f · 17L Text 1f · 5L

├─ ▾ 📁 src

│ ├─ 📜 archiver.ts TypeScript 190L · 6.4 KB

│ ├─ 📜 config.ts TypeScript 38L · 930 B

│ ├─ 📜 defaults.ts TypeScript 62L · 1.7 KB

│ ├─ 📜 index.ts TypeScript 55L · 1.7 KB

│ ├─ 📜 refiner.ts TypeScript 68L · 2.1 KB

│ ├─ 📜 test.ts TypeScript 18L · 567 B

│ └─ 📜 types.ts TypeScript 57L · 1.1 KB

├─ 📄 .gitignore Ignore 17L · 239 B

├─ 📝 CHANGELOG.md Markdown 28L · 692 B

├─ 📝 CONFIGURATION.md Markdown 130L · 4.0 KB

├─ 📜 index.js JavaScript 81L · 2.2 KB

├─ 📋 keywords.json JSON 33L · 703 B

├─ 📄 LICENSE.txt Text 5L · 85 B

├─ 📋 package.json JSON 38L · 793 B

├─ 📜 plugin.ts TypeScript 30L · 894 B

├─ 📝 PUBLIC-README.md Markdown 226L · 5.3 KB

├─ 📝 PUBLISH.md Markdown 58L · 1.4 KB

├─ 📝 README.md Markdown 178L · 4.2 KB

├─ 📜 refine.js JavaScript 53L · 1.5 KB

├─ 📜 screenshot-demo.js JavaScript 99L · 7.8 KB

├─ 📝 SKILL.md Markdown 178L · 4.2 KB

├─ 📜 standalone-archive.js JavaScript 160L · 5.3 KB

├─ 📜 test.js JavaScript 17L · 542 B

└─ 📋 tsconfig.json JSON 17L · 407 B

Dependencies 4 items

Package	Version	Source	Known Vulns	Notes
`openclaw`	`^0.5.0`	npm	No	Caret version allows major updates
`fast-glob`	`not declared`	dynamic import	No	Imported but not used in src/archiver.ts
`@types/node`	`^20`	npm	No	Dev dependency, not pinned
`typescript`	`^5`	npm	No	Dev dependency, not pinned

Security Positives

✓ No base64-encoded payloads or obfuscated execution observed

✓ No reverse shell, C2 communication, or direct IP network requests found

✓ No ~/.ssh, ~/.aws, or .env file access detected

✓ No curl|bash or wget|sh remote script execution

✓ AI refinement (callAI) is a stub — not actually implemented

✓ Dependencies are from a legitimate registry with no known malicious packages

✓ No hidden instructions in HTML comments or steganography detected

Scan Report

Attack Chain 6 steps

Findings 7 items

File Tree

Dependencies 4 items

Security Positives