安全决策报告

memory-compactor

Name: memory-compactor 可信度判断报告
Item: memory-compactor
Rating: 50
Author: ClawSafe

Skill declares memory file manipulation and scheduled execution but provides no implementation code to audit, creating a doc-to-code verification gap.

安装决策优先来源: 手动上传扫描时间: 2026/4/3

文件 1

IOC 0

越权项 1

发现 3

最直接的威胁证据

User installs skill trusting SKILL.md description 初始入口 · SKILL.md

AI agent invokes skill to compress memory files reconnaissance · SKILL.md

Skill accesses memory files containing potential sensitive data 权限提升 · SKILL.md

为什么得出这个结论

2/4 个维度触发

阻止

声明与实际能力

发现 1 项声明之外的能力或越权行为。

通过

隐藏执行与外联

当前没有明显的高危外联或执行信号。

阻止

攻击链与高危发现

报告包含 4 步攻击链，另有 0 项高危或严重发现。

复核

依赖与供应链卫生

没有完整依赖信息，供应链判断需要保留弹性。

攻击链

User installs skill trusting SKILL.md description

初始入口 · SKILL.md:1

AI agent invokes skill to compress memory files

reconnaissance · SKILL.md:12

Skill accesses memory files containing potential sensitive data

权限提升 · SKILL.md:15

Without code audit, actual behavior unverifiable - could exfiltrate or modify beyond declared scope

最终危害 · SKILL.md:22

风险分是怎么被拉高的

No implementation code +20

SKILL.md describes filesystem operations but has zero scripts to audit

Undeclared scheduled execution +15

Claims '定时任务自动执行' (scheduled auto-execution) without explaining mechanism

Memory file access unverifiable +10

Skill accesses memory files that may contain sensitive data but no code to audit behavior

No allowed-tools declaration +5

Missing explicit declaration of required filesystem permissions

最关键的证据

中危文档欺骗

Documentation-only skill with unverifiable behavior

The skill describes filesystem operations (compress, clean, write) on memory files but provides zero implementation code. Cannot verify if declared behavior matches actual execution.

SKILL.md:1

Require submission of implementation scripts (Python/Bash) that can be audited for actual file operations, network access, and data handling.

中危权限提升

Undeclared scheduled execution mechanism

SKILL.md states '定时任务自动执行: 每周日22:00' but does not explain how scheduled execution is implemented. Could involve cron jobs, systemd timers, or hidden agent hooks.

SKILL.md:22

Specify the exact mechanism for scheduled execution. If using cron, declare it in documentation.

低危敏感访问

Memory file access without visibility into data handling

Skill operates on memory files that may contain sensitive user data, preferences, or potentially credentials. No code to verify data remains local and is not exfiltrated.

SKILL.md:12

Add explicit statement that memory contents are processed locally only and not transmitted externally.

声明能力 vs 实际能力

文件系统 阻止

声明 NONE

→

推断 WRITE

SKILL.md describes '压缩冗余内容，清理过期信息' (compress redundant content, clean expired info) but provides no implementation

可疑产物与外联

没有提取到明显 IOC。

依赖与供应链

没有结构化依赖告警。

文件构成

1 个文件 · 48 行

Markdown 1 个文件 · 48 行

需关注文件 · 1

SKILL.md Markdown · 48 行

Documentation-only skill with unverifiable behavior · Undeclared scheduled execution mechanism · Memory file access without visibility into data handling

安全亮点

No network requests described in documentation

No credential harvesting mentioned

No base64, eval, or obfuscation patterns visible in docs

Core concept (memory compression) is functionally legitimate