Skill Trust Decision
openclaw-memory-auto
Skill contains hardcoded absolute Windows paths exposing user identity, undeclared PowerShell script execution, and credential-related keyword harvesting with plausible yet suspicious design patterns.
Most direct threat evidence
01
Skill distributed as legitimate OpenClaw memory plugin via SKILL.md marketing Entry · SKILL.md
02
Hardcoded Windows username path reveals user identity for targeting recon · index.js
03
spawns powershell.exe with ExecutionPolicy Bypass to run non-existent scripts Escalation · index.js
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
2 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
2 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 6 attack-chain steps and 3 severe findings.
Review
Dependencies and supply chain hygiene
2 dependency or supply-chain issues need attention.
Attack Chain
01
Skill distributed as legitimate OpenClaw memory plugin via SKILL.md marketing
Entry · SKILL.md:1
02
Hardcoded Windows username path reveals user identity for targeting
recon · index.js:62
03
spawns powershell.exe with ExecutionPolicy Bypass to run non-existent scripts
Escalation · index.js:67
04
Extracts messages containing credential-adjacent keywords (password, token, key, secret, api, 密钥, 密码) from chat transcripts
Escalation · src/archiver.ts:118
05
Stores credential-adjacent transcript snippets in plaintext memory/YYYY-MM-DD.md files
Impact · src/archiver.ts:108
06
Refinement feature (callAI stub) could be implemented to POST extracted credentials to external AI endpoint
exfiltration_potential · src/refiner.ts:25
What drove the risk score up
Hardcoded Windows absolute paths +25
Three files contain hardcoded paths with Windows usernames (C:\Users\42517\) — index.js:62, test.js:2, standalone-archive.js: hardcoded transcriptDir — exposing user identity and not declared in SKILL.md
Undeclared PowerShell execution +20
index.js spawns powershell.exe with -ExecutionPolicy Bypass to run archive.ps1 and refine.ps1 scripts that do not exist in the codebase; not declared in SKILL.md
Credential-adjacent keyword harvesting +15
defaults.ts and keywords.json include sensitive keywords (password, token, key, secret, api, 密钥, 密码, 账号) which are used to extract message highlights, potentially capturing sensitive credentials from chat transcripts
Doc-to-code mismatch +15
SKILL.md states 'Pure TypeScript' with no mention of PowerShell scripts, hardcoded paths, or Windows-specific behavior; index.js spawns external scripts with bypassed execution policy
Dynamic import of fast-glob not used +5
src/archiver.ts imports fast-glob then never uses it, and falls back to a hardcoded path; this pattern is commonly used to obfuscate file system enumeration
Most important evidence
High Priv Escalation
Hardcoded Windows username path leaks user identity
index.js line 62 contains a hardcoded absolute path 'C:\Users\42517\.openclaw\agents\main\sessions' and test.js contains 'C:\Users\42517\.openclaw\workspace'. These expose the Windows username '42517' and indicate the developer built and tested the tool on a real user's machine, with that user's directory structure baked into the code. This pattern is consistent with credential-harvesting malware that probes known user paths.
index.js:62 Remove all hardcoded absolute paths. Use workspace-relative or env-var-based paths only.
High Doc Mismatch
Undeclared PowerShell execution with bypassed execution policy
index.js spawns powershell.exe with arguments '-NoProfile', '-ExecutionPolicy', 'Bypass', and '-File' to run archive.ps1 and refine.ps1. Neither script exists in the repository. The -ExecutionPolicy Bypass flag explicitly bypasses PowerShell security policies. SKILL.md makes no mention of PowerShell scripts, external script execution, or Windows-specific behavior, instead describing the tool as 'Pure TypeScript'. This is a significant doc-to-code mismatch.
index.js:67 Either declare and include the PowerShell scripts, or remove the spawn entirely and perform all logic in Node.js/TypeScript.
High Credential Theft
Sensitive credential keywords used to extract transcript highlights
src/defaults.ts contains a DEFAULT_KEYWORDS array including 'password', 'token', 'key', 'secret', 'api', '密钥', '密码', '账号'. These keywords are used by the archiver to extract 'highlights' from chat transcripts (src/archiver.ts:extractHighlights). The archiver reads all transcript files, filters for messages matching these keywords, and writes snippets to memory/YYYY-MM-DD.md. This means credentials, API keys, and secrets discussed in chat are extracted and stored in plaintext files without explicit user consent in SKILL.md.
src/defaults.ts:21 Either remove sensitive credential keywords from defaults, or explicitly document and request consent for credential extraction in SKILL.md with a clear opt-in mechanism.
Medium Doc Mismatch
SKILL.md claims zero config needed but hardcoded paths require config
SKILL.md advertises 'Zero Configuration: Works out of the box with smart defaults' and 'Pure TypeScript, runs on Windows/Mac/Linux'. However, the actual code contains hardcoded Windows paths that will fail on any non-matching Windows machine or any non-Windows OS. The cross-platform claim is misleading.
SKILL.md:1 Update SKILL.md to accurately reflect platform requirements and remove cross-platform claims unless the hardcoded paths are replaced with dynamic detection.
Medium Sensitive Access
Dynamic fast-glob import with no actual usage
src/archiver.ts imports fast-glob but never calls it. Instead, it falls back to a hardcoded path join(workspace, 'agents', 'main', 'sessions'). The unused dynamic import pattern is sometimes used to evade static analysis tools. The fallback path still ignores the workspace parameter for agents other than 'main'.
src/archiver.ts:94 Either implement proper glob usage or remove the import. Use workspace parameter consistently across all transcript paths.
Low Supply Chain
No version pinning for dependencies
package.json specifies dependencies without version pins: openclaw: '^0.5.0', @types/node: '^20', typescript: '^5'. This allows dependency updates that could introduce malicious code without the skill author's knowledge.
package.json:24 Pin all dependencies to exact versions (e.g., [email protected] without caret).
Low Doc Mismatch
External URL reference in keywords.json
keywords.json line 2 references 'https://json.schemastore.org/default' for its JSON schema. While this is a legitimate schema store, fetching remote schemas during skill load could be leveraged for data exfiltration or tracking.
keywords.json:2 Remove external schema reference or document the network access in SKILL.md.
Declared capability vs actual capability
Filesystem Block
Declared READ
→ Inferred WRITE
src/archiver.ts:108 — fs.writeFile for daily logs + marker files; standalone-archive.js — write operations; src/refiner.ts — fs.appendFile to MEMORY.md Network Pass
Declared NONE
→ Inferred NONE
refine.js / src/refiner.ts — callAI() stub exists with TODO comment, not yet implemented; keywords.json:2 references external schema URL Shell Block
Declared NONE
→ Inferred WRITE
index.js:67-71 — spawn('powershell.exe', psArgs) with -ExecutionPolicy Bypass Environment Pass
Declared NONE
→ Inferred READ
Multiple files read process.env.OPENCLAW_WORKSPACE Suspicious artifacts and egress
Medium External URL
https://clawhub.ai/skills/publish PUBLISH.md:18
Medium External URL
https://json.schemastore.org/default keywords.json:2
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| openclaw | ^0.5.0 | npm | No | Caret version allows major updates |
| fast-glob | not declared | dynamic import | No | Imported but not used in src/archiver.ts |
| @types/node | ^20 | npm | No | Dev dependency, not pinned |
| typescript | ^5 | npm | No | Dev dependency, not pinned |
File composition
24 files · 1836 lines
Markdown 6 files · 798 linesTypeScript 8 files · 518 linesJavaScript 5 files · 410 linesJSON 3 files · 88 linesIgnore 1 files · 17 linesText 1 files · 5 lines
Files of concern · 4
src/archiver.ts Dynamic fast-glob import with no actual usage
SKILL.md SKILL.md claims zero config needed but hardcoded paths require config
index.js Hardcoded Windows username path leaks user identity · Undeclared PowerShell execution with bypassed execution policy
src/defaults.ts Sensitive credential keywords used to extract transcript highlights
Other files · screenshot-demo.js · standalone-archive.js · PUBLIC-README.md · README.md · CONFIGURATION.md · refiner.ts +2
Security positives
No base64-encoded payloads or obfuscated execution observed
No reverse shell, C2 communication, or direct IP network requests found
No ~/.ssh, ~/.aws, or .env file access detected
No curl|bash or wget|sh remote script execution
AI refinement (callAI) is a stub — not actually implemented
Dependencies are from a legitimate registry with no known malicious packages
No hidden instructions in HTML comments or steganography detected