agent-memory 安全扫描报告 — 低风险 | ClawSafe

12 /100

agent-memory

Agent memory infrastructure skill implementing Context Engineering core capabilities: selection, compression, retrieval, state tracking, and memory management with privacy controls

A legitimate memory infrastructure skill with no malicious behavior detected; two minor documentation issues (hardcoded example passwords) pose no runtime security risk.

技能名称agent-memory

分析耗时56.5s

引擎pi

✓

可以安装

Review references/encryption_guide.md example values to ensure no real credentials are inadvertently documented. Otherwise safe to deploy.

安全发现 2 项

严重性	安全发现	位置
低危	Example passwords appear as literal strings in documentation 文档欺骗 references/encryption_guide.md contains 'password = "user_password_123"' (line 157) and 'password="optional_password"' (line 171) as PBKDF2 password-derivation examples. These are documented demonstration values, not real credentials, but may cause false-positive scanner alerts. No runtime security impact since these are documentation examples only. `password = "user_password_123"` → Replace example password values with clearly-marked placeholders like <YOUR_PASSWORD> or comment that these are example-only values	`references/encryption_guide.md:157`
低危	Undeclared filesystem:WRITE and environment:READ capabilities 权限提升 SKILL.md declares no filesystem or environment permissions, but credential_manager.py auto-writes .master_key to storage_path and reads MEMORY_MASTER_KEY from os.environ. These are necessary and legitimate for the encryption subsystem. `SKILL.md frontmatter has no 'permissions' or 'allowed_tools' declaration` → Add declared permissions to SKILL.md: filesystem:WRITE for ./memory_data/* paths, environment:READ for MEMORY_MASTER_KEY	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`WRITE`	✗ 越权	SKILL.md: credential_manager.py writes to storage_path/.master_key and credentia…
环境变量	`NONE`	`READ`	✗ 越权	SKILL.md: credential_manager.py reads MEMORY_MASTER_KEY env var; encryption.py r…
命令执行	`NONE`	`NONE`	—	No subprocess/os.system/eval/exec found in any script
网络访问	`NONE`	`READ`	✓ 一致	redis_adapter.py connects to Redis; declared as optional in SKILL.md
剪贴板	`NONE`	`NONE`	—	No clipboard access found
浏览器	`NONE`	`NONE`	—	No browser/web access found
数据库	`NONE`	`READ`	✓ 一致	Redis adapter used for token counters; optional, not always active
技能调用	`NONE`	`NONE`	—	No skill invocation found

2 高危 4 项发现

🔑

高危 API 密钥疑似硬编码凭证

password = "user_password_123"

references/encryption_guide.md:157

🔑

高危 API 密钥疑似硬编码凭证

password="optional_password"

references/encryption_guide.md:171

🔗

中危外部 URL 外部 URL

https://www.gnu.org/licenses/gpl-3.0.html

SKILL.md:23

🔗

中危外部 URL 外部 URL

https://www.gnu.org/licenses/

scripts/__init__.py:17

目录结构

69 文件 · 1.4 MB · 46452 行

Python 50f · 37665L Markdown 17f · 8246L JSON 2f · 541L

├─ ▾ 📁 assets

│ └─ ▾ 📁 templates

│ └─ 📋 memory_schemas.json JSON 499L · 14.1 KB

├─ ▾ 📁 memory_storage

│ └─ 📋 default_user_memory.json JSON 42L · 1.0 KB

├─ ▾ 📁 references

│ ├─ 📝 activation_mechanism.md Markdown 526L · 13.2 KB

│ ├─ 📝 agent_loops_advanced.md Markdown 548L · 17.4 KB

│ ├─ 📝 agent_loops_integration.md Markdown 540L · 13.7 KB

│ ├─ 📝 api_class_reference.md Markdown 478L · 29.5 KB

│ ├─ 📝 api_enums.md Markdown 903L · 18.5 KB

│ ├─ 📝 architecture_execution_model.md Markdown 410L · 14.3 KB

│ ├─ 📝 architecture_overview.md Markdown 672L · 35.7 KB

│ ├─ 📝 chain_reasoning_guide.md Markdown 604L · 20.9 KB

│ ├─ 📝 encryption_guide.md Markdown 482L · 10.9 KB

│ ├─ 📝 index_sync_guide.md Markdown 540L · 17.4 KB

│ ├─ 📝 insight_design.md Markdown 496L · 11.1 KB

│ ├─ 📝 memory_types.md Markdown 517L · 19.2 KB

│ ├─ 📝 module_index.md Markdown 138L · 5.7 KB

│ ├─ 📝 privacy_guide.md Markdown 407L · 9.8 KB

│ ├─ 📝 short_term_insight_guide.md Markdown 357L · 11.6 KB

│ └─ 📝 usage_guide.md Markdown 305L · 8.1 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 __init__.py Python 281L · 6.6 KB

│ ├─ 🐍 async_writer.py Python 481L · 14.7 KB

│ ├─ 🐍 batched_writer.py Python 316L · 9.4 KB

│ ├─ 🐍 bloom_filter.py Python 368L · 11.5 KB

│ ├─ 🐍 cache_consistency.py Python 597L · 17.0 KB

│ ├─ 🐍 cache_layer.py Python 668L · 18.6 KB

│ ├─ 🐍 causal_chain_extractor.py Python 594L · 19.0 KB

│ ├─ 🐍 chain_reasoning.py Python 856L · 26.8 KB

│ ├─ 🐍 cognitive_model_builder.py Python 843L · 30.1 KB

│ ├─ 🐍 conflict_resolver.py Python 528L · 18.5 KB

│ ├─ 🐍 context_lazy_loader.py Python 752L · 21.2 KB

│ ├─ 🐍 context_orchestrator.py Python 933L · 28.7 KB

│ ├─ 🐍 context_reconstructor.py Python 1311L · 42.7 KB

│ ├─ 🔑 credential_manager.py ⚠ Python 383L · 11.2 KB

│ ├─ 🐍 cross_session_memory_linker.py Python 588L · 17.5 KB

│ ├─ 🐍 encryption.py Python 680L · 17.0 KB

│ ├─ 🐍 fallback_manager.py Python 499L · 15.0 KB

│ ├─ 🐍 heat_manager.py Python 261L · 7.3 KB

│ ├─ 🐍 importance_scorer.py Python 566L · 18.6 KB

│ ├─ 🐍 incremental_sync.py Python 563L · 14.5 KB

│ ├─ 🐍 insight_module.py Python 1316L · 43.3 KB

│ ├─ 🐍 knowledge_gap_identifier.py Python 646L · 22.0 KB

│ ├─ 🐍 long_term.py Python 1199L · 41.2 KB

│ ├─ 🐍 memory_conflict.py Python 955L · 31.0 KB

│ ├─ 🐍 memory_forgetting_mechanism.py Python 576L · 18.2 KB

│ ├─ 🐍 memory_index.py Python 683L · 20.1 KB

│ ├─ 🐍 monitoring.py Python 625L · 16.1 KB

│ ├─ 🐍 multi_source_coordinator.py Python 695L · 23.4 KB

│ ├─ 🐍 noise_filter.py Python 575L · 17.5 KB

│ ├─ 🐍 observability_manager.py Python 1090L · 31.7 KB

│ ├─ 🐍 perception.py Python 869L · 24.9 KB

│ ├─ 🐍 permission_boundary_controller.py Python 842L · 25.3 KB

│ ├─ 🐍 prefetch_manager.py Python 599L · 17.9 KB

│ ├─ 🐍 privacy.py Python 795L · 22.5 KB

│ ├─ 🐍 progressive_compressor.py Python 602L · 19.3 KB

│ ├─ 🐍 redis_adapter.py Python 966L · 25.1 KB

│ ├─ 🐍 result_compressor.py Python 1230L · 40.3 KB

│ ├─ 🐍 retrieval_decision_engine.py Python 593L · 18.4 KB

│ ├─ 🐍 retrieval_organizer.py Python 773L · 23.5 KB

│ ├─ 🐍 retrieval_quality_evaluator.py Python 648L · 20.1 KB

│ ├─ 🐍 short_term_insight.py Python 649L · 22.4 KB

│ ├─ 🐍 short_term_redis.py Python 723L · 20.4 KB

│ ├─ 🐍 short_term.py Python 1708L · 53.9 KB

│ ├─ 🐍 smart_allocator.py Python 551L · 17.8 KB

│ ├─ 🐍 state_capture.py Python 1138L · 30.0 KB

│ ├─ 🐍 state_consistency_validator.py Python 622L · 20.1 KB

│ ├─ 🐍 state_inference_engine.py Python 623L · 20.1 KB

│ ├─ 🐍 task_progress.py Python 1043L · 30.9 KB

│ ├─ 🔑 token_budget.py ⚠ Python 664L · 19.0 KB

│ └─ 🐍 type_defs.py Python 1599L · 47.3 KB

└─ 📝 SKILL.md Markdown 323L · 10.6 KB

依赖分析 6 项

包名	版本	来源	已知漏洞	备注
`pydantic`	`>=2.0.0`	pip	否	Major version pinned
`typing-extensions`	`>=4.0.0`	pip	否	Major version pinned
`cryptography`	`>=41.0.0`	pip	否	Major version pinned; used for AES-256-GCM
`redis`	`>=4.5.0`	pip	否	Optional; lazy import
`tiktoken`	`>=0.5.0`	pip	否	Optional; lazy import
`mmh3`	`>=3.0.0`	pip	否	Major version pinned

安全亮点

✓ No subprocess, os.system, eval, exec, or compile calls across all 50 Python files

✓ No network HTTP requests (requests/urllib/httpx/socket) anywhere in the codebase

✓ No base64 decode piped to shell or other obfuscation patterns

✓ No access to ~/.ssh, ~/.aws, or other sensitive filesystem paths

✓ CredentialManager uses proper AES-256-GCM encryption with auto-generated 256-bit keys stored with 0o600 permissions

✓ Lazy imports for optional dependencies (redis, cryptography) prevent errors in minimal environments

✓ PrivacyManager includes consent tracking, sensitive data classification, and audit logging

✓ SensitiveDataDetector classifies credentials and financial info as RESTRICTED (not stored)

✓ TokenBudgetManager uses Redis only; no credential exfiltration

✓ Redis adapter supports password authentication and TLS recommendations are documented

✓ All file paths are user-configurable with no hardcoded system paths

✓ Dependencies have minimum version constraints (pinned major versions)