MemOptimizer (记忆优化器) Security Report — Suspicious | ClawSafe

60 /100

MemOptimizer (记忆优化器)

记忆压缩与统计工具 — 整合 self-improving 机制，自动统计、压缩和优化记忆文件

The skill contains undeclared shell execution via child_process.exec() and undeclared filesystem WRITE operations, with access to sensitive system paths — all hidden from the documented SKILL.md.

Skill NameMemOptimizer (记忆优化器)

Duration50.4s

Enginepi

⚠

Use with caution

Remove or document all child_process.exec() calls. Declare filesystem:WRITE and shell:WRITE in SKILL.md if intended. Restrict access to /root/.openclaw paths and implement stricter input validation on compression parameters.

Findings 5 items

Severity	Finding	Location
High	Undeclared shell execution via child_process.exec() Doc Mismatch The getServerStatus() function (lines 178-196) executes 4 shell commands (top, free, df, uptime) via child_process.exec() to gather server metrics for the daily report. getAgentStatus() (lines 203-211) executes 'ls -1 ~/.openclaw/agents/'. None of this shell execution is declared anywhere in SKILL.md or tools.json. `exec(commands[key], (err, stdout, stderr) => { ... });` → Document shell:WRITE in SKILL.md metadata if system monitoring is intentional, or remove these exec() calls entirely.	`index.js:178`
High	Undeclared filesystem WRITE operations Doc Mismatch The skill writes to memory/*.md files (line 337) when dryRun=false, and appends to self-improving/reflections.md and corrections.md (lines 119, 124). These filesystem WRITE operations are not declared in SKILL.md, tools.json, or metadata. While dryRun defaults to true (providing a safety guard), the capability exists and is hidden. `await fs.writeFile(file.path, newContent, 'utf-8');` → Declare filesystem:WRITE in the capability model metadata. Alternatively, move to a read-only stats-only tool.	`index.js:337`
High	Hardcoded access to /root/.openclaw system directories Sensitive Access The scanAllAgentsWorkspaces() function (lines 216-272) hardcodes paths /root/.openclaw/agents and /root/.openclaw/workspace-{id}, iterating across all agents' workspaces to compress their memory files. This is a privileged escalation — the skill's stated purpose is 'scan memory/ directory in workspace', but it actually traverses the entire multi-agent system at /root level. `const agentsDir = '/root/.openclaw/agents';` → This is a major scope creep. Either declare this behavior prominently in SKILL.md or restrict to the current workspace only.	`index.js:217`
Medium	Multi-agent optimization mode not documented in SKILL.md Doc Mismatch The mem_optimize tool has a hidden multiAgent mode that scans and compresses ALL agents' memory files across the entire system (via /root/.openclaw/agents/). This is triggered by '多智能体' keyword or '执行多智能体记忆优化流程', yet the SKILL.md only describes single-workspace optimization. The cron job 'mem_optimize_daily' triggers this wider scope automatically. `if (multiAgent) { result = await optimizeAllAgentsMemory(...) }` → Document the multi-agent mode explicitly in SKILL.md with clear scope and consent requirements.	`index.js:295`
Medium	Aggressive default compression ratio of 40% Priv Escalation The default compressionRatio is 0.4 (40%), meaning 60% of content is discarded from files over 50 lines. While dryRun is true by default, the cron job (mem_optimize_daily) runs with dryRun=false, silently destroying memory content across ALL agents on a daily schedule. `const optimizeResult = await optimizeAllAgentsMemory(false, true, 0.4);` → Require explicit opt-in for automated destructive operations. The cron should run dryRun mode by default and notify rather than auto-commit.	`index.js:312`

Resource	Declared	Inferred	Status	Evidence
Shell	`NONE`	`WRITE`	✗ Violation	index.js:178-196 (getServerStatus uses exec() for top/free/df/uptime); index.js:…
Filesystem	`READ (implicit)`	`WRITE`	✗ Violation	index.js:337 fs.writeFile(file.path, newContent) — modifies memory files when dr…
Environment	`NONE`	`READ`	✓ Aligned	index.js:89-109 loadSelfImprovingPreferences() reads files from self-improving/ …

File Tree

3 files · 34.0 KB · 1179 lines

JavaScript 1f · 827L Markdown 1f · 302L JSON 1f · 50L

├─ 📜 index.js JavaScript 827L · 25.0 KB

├─ 📝 SKILL.md Markdown 302L · 7.6 KB

└─ 📋 tools.json JSON 50L · 1.4 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`fs`	`builtin`	Node.js stdlib	No	Uses Node.js built-in fs module (promises API)
`child_process`	`builtin`	Node.js stdlib	No	Uses exec() for shell commands — undocumented capability

Security Positives

✓ dryRun defaults to true, providing a safety guard against accidental file modification

✓ Token estimation is performed locally with no network calls for core functionality

✓ No credential harvesting or API key scanning observed

✓ No base64 encoding, obfuscation, or anti-analysis techniques detected

✓ No reverse shell, C2, or outbound data exfiltration to external IPs

✓ Self-improving feedback loop is a legitimate, documented pattern

Scan Report

Findings 5 items

File Tree

Dependencies 2 items

Security Positives