Skill Trust Decision
Enterprise Security
Skill uses undeclared shell execution with hardcoded database credentials to write directly to PostgreSQL memories, representing significant hidden functionality not documented in SKILL.md.
Most direct threat evidence
01
User installs skill thinking it's a simple security tool Entry · SKILL.md
02
activate.js executes docker commands with execSync Execution · activate.js
03
Hardcoded credentials stored in source code Escalation · activate.js
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Pass
Hidden execution and egress
No obvious high-risk egress or execution signals were found.
Block
Attack chain and severe findings
The report includes 5 attack-chain steps and 3 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
Attack Chain
01
User installs skill thinking it's a simple security tool
Entry · SKILL.md:1
02
activate.js executes docker commands with execSync
Execution · activate.js:29
03
Hardcoded credentials stored in source code
Escalation · activate.js:19
04
Database writes to PostgreSQL memories table
Escalation · activate.js:28
05
Attacker with code access could modify credentials or SQL injection
Impact · activate.js:28
What drove the risk score up
Undeclared shell execution +25
activate.js uses execSync to run docker commands, not declared in SKILL.md
Hardcoded credentials +15
Database credentials 'openclaw:pgmemory' embedded in plaintext in activate.js
Undeclared database access +15
Direct PostgreSQL connection to localhost:15432 not mentioned in documentation
Doc-to-code mismatch +10
SKILL.md describes file operations only, but actual code accesses database and runs shell commands
Most important evidence
High RCE
Undeclared shell execution via execSync
activate.js uses child_process.execSync to run docker commands that connect to PostgreSQL. This shell:WRITE capability is not declared anywhere in SKILL.md.
activate.js:29 Remove shell execution capability or declare it in SKILL.md. Consider using API-based memory storage instead of raw docker/psql commands.
High Credential Theft
Hardcoded database credentials
PostgreSQL credentials 'openclaw:pgmemory' are hardcoded in plaintext within activate.js. While not exfiltrated, storing credentials in code is a security anti-pattern.
activate.js:19 Move credentials to environment variables or configuration file. Never store credentials in source code.
High Doc Mismatch
Documentation mismatch - hidden database/shell behavior
SKILL.md describes only file operations (backup, rollback, changelog), but the actual implementation includes database writes via docker exec and shell command execution. These capabilities are completely absent from the documentation.
SKILL.md:1 Update SKILL.md to clearly document: 1) Shell command execution via execSync, 2) Database connectivity to PostgreSQL, 3) Docker command usage, 4) Any credential access patterns.
Medium Priv Escalation
Implicit database write access
The skill performs INSERT operations on the memories table in PostgreSQL, implying database:WRITE access that is not declared.
activate.js:28 Declare database access if this functionality is intentional and necessary.
Declared capability vs actual capability
Shell Block
Declared NONE
→ Inferred WRITE
activate.js:29 execSync() Filesystem Block
Declared NONE
→ Inferred WRITE
activate.js:29 docker exec writes to PostgreSQL Database Block
Declared NONE
→ Inferred WRITE
activate.js:19 direct PostgreSQL access via docker exec Suspicious artifacts and egress
No obvious IOC was extracted.
Dependencies and supply chain
There are no structured dependency warnings.
File composition
8 files · 768 lines
JavaScript 7 files · 528 linesMarkdown 1 files · 240 lines
Files of concern · 2
SKILL.md Documentation mismatch - hidden database/shell behavior
activate.js Undeclared shell execution via execSync · Hardcoded database credentials · Implicit database write access
Other files · security-check.js · rollback.js · backup.js · confirm.js · changelog.js · index.js
Security positives
Core modules (backup.js, rollback.js, changelog.js, confirm.js) use only safe fs operations documented in SKILL.md
Security check module performs legitimate skill vetting with no suspicious behavior
No base64 encoding, obfuscation, or anti-analysis patterns detected
No data exfiltration observed in the main codebase
No suspicious network requests to external IPs