Skill Trust Decision

MemOptimizer (记忆优化器)

Name: MemOptimizer (记忆优化器) Trust Review Report
Item: MemOptimizer (记忆优化器)
Rating: 40
Author: ClawSafe

The skill contains undeclared shell execution via child_process.exec() and undeclared filesystem WRITE operations, with access to sensitive system paths — all hidden from the documented SKILL.md.

Install decision first Source: Manual upload Scanned: Apr 4, 2026

Files 3

Artifacts 0

Violations 2

Findings 5

Most direct threat evidence

High Doc Mismatch

Undeclared shell execution via child_process.exec()

The getServerStatus() function (lines 178-196) executes 4 shell commands (top, free, df, uptime) via child_process.exec() to gather server metrics for the daily report. getAgentStatus() (lines 203-211) executes 'ls -1 ~/.openclaw/agents/'. None of this shell execution is declared anywhere in SKILL.md or tools.json.

index.js:178

Why this conclusion was reached

2/4 dimensions flagged

Block

Declared vs actual capability

2 undeclared or violating capabilities were inferred.

Pass

Hidden execution and egress

No obvious high-risk egress or execution signals were found.

Block

Attack chain and severe findings

The report includes 0 attack-chain steps and 3 severe findings.

Pass

Dependencies and supply chain hygiene

Dependencies are present but no obvious high-risk issue stands out.

What drove the risk score up

Undeclared shell execution +25

getServerStatus() runs top/free/df/uptime via child_process.exec(); getAgentStatus() runs ls on ~/.openclaw — none declared in SKILL.md

Undeclared filesystem WRITE +20

fs.writeFile modifies memory/*.md when dryRun=false; fs.appendFile writes to reflections.md and corrections.md — no WRITE permission declared

Sensitive path access +15

Hardcoded access to /root/.openclaw/agents/ and /root/.openclaw/workspace-{id}/ for multi-agent optimization, not declared in docs

Most important evidence

High Doc Mismatch

Undeclared shell execution via child_process.exec()

index.js:178

Document shell:WRITE in SKILL.md metadata if system monitoring is intentional, or remove these exec() calls entirely.

High Doc Mismatch

Undeclared filesystem WRITE operations

The skill writes to memory/*.md files (line 337) when dryRun=false, and appends to self-improving/reflections.md and corrections.md (lines 119, 124). These filesystem WRITE operations are not declared in SKILL.md, tools.json, or metadata. While dryRun defaults to true (providing a safety guard), the capability exists and is hidden.

index.js:337

Declare filesystem:WRITE in the capability model metadata. Alternatively, move to a read-only stats-only tool.

High Sensitive Access

Hardcoded access to /root/.openclaw system directories

The scanAllAgentsWorkspaces() function (lines 216-272) hardcodes paths /root/.openclaw/agents and /root/.openclaw/workspace-{id}, iterating across all agents' workspaces to compress their memory files. This is a privileged escalation — the skill's stated purpose is 'scan memory/ directory in workspace', but it actually traverses the entire multi-agent system at /root level.

index.js:217

This is a major scope creep. Either declare this behavior prominently in SKILL.md or restrict to the current workspace only.

Medium Doc Mismatch

Multi-agent optimization mode not documented in SKILL.md

The mem_optimize tool has a hidden multiAgent mode that scans and compresses ALL agents' memory files across the entire system (via /root/.openclaw/agents/). This is triggered by '多智能体' keyword or '执行多智能体记忆优化流程', yet the SKILL.md only describes single-workspace optimization. The cron job 'mem_optimize_daily' triggers this wider scope automatically.

index.js:295

Document the multi-agent mode explicitly in SKILL.md with clear scope and consent requirements.

Medium Priv Escalation

Aggressive default compression ratio of 40%

The default compressionRatio is 0.4 (40%), meaning 60% of content is discarded from files over 50 lines. While dryRun is true by default, the cron job (mem_optimize_daily) runs with dryRun=false, silently destroying memory content across ALL agents on a daily schedule.

index.js:312

Require explicit opt-in for automated destructive operations. The cron should run dryRun mode by default and notify rather than auto-commit.

Declared capability vs actual capability

Shell Block

Declared NONE

→

Inferred WRITE

index.js:178-196 (getServerStatus uses exec() for top/free/df/uptime); index.js:203-211 (getAgentStatus uses exec() for ls)

Filesystem Block

Declared READ (implicit)

→

Inferred WRITE

index.js:337 fs.writeFile(file.path, newContent) — modifies memory files when dryRun=false; index.js:119 fs.appendFile(reflectionsPath, ...) — appends reflections

Environment Pass

Declared NONE

→

Inferred READ

index.js:89-109 loadSelfImprovingPreferences() reads files from self-improving/ directory within workspace

Suspicious artifacts and egress

No obvious IOC was extracted.

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
fs	`builtin`	Node.js stdlib	No	Uses Node.js built-in fs module (promises API)
child_process	`builtin`	Node.js stdlib	No	Uses exec() for shell commands — undocumented capability

File composition

3 files · 1179 lines

JavaScript 1 files · 827 linesMarkdown 1 files · 302 linesJSON 1 files · 50 lines

Files of concern · 1

index.js JavaScript · 827 lines

Undeclared shell execution via child_process.exec() · Undeclared filesystem WRITE operations · Hardcoded access to /root/.openclaw system directories · Multi-agent optimization mode not documented in SKILL.md · Aggressive default compression ratio of 40%

Other files · SKILL.md · tools.json

Security positives

dryRun defaults to true, providing a safety guard against accidental file modification

Token estimation is performed locally with no network calls for core functionality

No credential harvesting or API key scanning observed

No base64 encoding, obfuscation, or anti-analysis techniques detected

No reverse shell, C2, or outbound data exfiltration to external IPs

Self-improving feedback loop is a legitimate, documented pattern