critical
suspicious.env_credential_access
- Location
- src/embeddings.js:18
- Finding
- Environment variable access combined with network send.
Openclaw Memory
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Secrets, personal details, project context, or misleading instructions could become persistent memories and be injected into future agent requests.
Why it was flagged
The skill is designed to automatically process every interaction and the documentation explicitly gives an API key as an example of a fact it may store.
Skill content
1. **Automatic Extraction** - Hooks into every request/response ... - **Facts** - "User's API key is abc123", "Project uses TypeScript"
Recommendation
Install only if you want automatic cross-session memory; add clear exclusions/redaction for secrets, review stored memories regularly, and avoid using it with sensitive conversations unless local-only settings and retention controls are verified.
ConcernMedium Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
If the dashboard/API is running, other local processes or users may be able to query or mutate memories unless the implementation adds protections not shown here.
Why it was flagged
The documented local REST API exposes memory search and deletion using an agent wallet parameter, but the provided documentation does not describe authentication or authorization boundaries.
Skill content
Memory System provides a REST API for programmatic access: ... GET /api/memories/search?agent_wallet=0x...&query=programming&limit=5 ... DELETE /api/memories/:memory_id?agent_wallet=0x...
Recommendation
Require authentication for the dashboard/API, bind only to localhost by default, and document who can read, write, or delete memories.
ConcernHigh Confidence
ASI09: Human-Agent Trust ExploitationWhat this means
A user may believe all memory content stays local even though conversation-derived text may be sent to an external embedding provider.
Why it was flagged
The privacy claim says nothing is sent to external servers, while the same artifact says OpenAI is the default embedding option, which normally requires sending text to OpenAI.
Skill content
- ✅ All data stored locally (nothing sent to external servers) ... **Embedding Options:** 1. **OpenAI** (default) - Fast, high quality
Recommendation
Make local embeddings the default for privacy-sensitive use, clearly disclose what text is sent to OpenAI, and align the privacy section with the actual default behavior.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
If an agent has access to a funded wallet, it may spend funds on the Pro tier without an operator reviewing the transaction first.
Why it was flagged
The payment guide encourages autonomous agents to initiate paid upgrades without human approval.
Skill content
AI agents can autonomously pay for unlimited storage ... **No human in the loop**
Recommendation
Require explicit human approval before any wallet transaction, keep agent wallets low-balance or read-only by default, and clearly separate payment-request creation from actual payment signing.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Users may not notice that provider API keys and payment-related configuration affect how the skill operates.
Why it was flagged
The implementation describes environment variables and provider/account-related configuration even though the registry metadata declares no required environment variables or primary credential.
Skill content
- `PAYMENT_WALLET` - Recipient wallet for x402 payments - `PAYMENT_CALLBACK_URL` - Payment verification callback - `OPENAI_API_KEY` - For OpenAI embeddings (optional) - `EMBEDDING_PROVIDER` - 'openai' or 'local' (default: openai)
Recommendation
Declare optional credentials and environment variables in metadata and setup docs, including their purpose, scope, and whether they cause external data transfer.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Installing the skill adds executable code that can run during agent request/session events.
Why it was flagged
The package includes runtime dependencies and automatic OpenClaw hooks. That is coherent for this skill, but it means installation is not just static instructions.
Skill content
"dependencies": { "better-sqlite3": "^11.0.0", "express": "^4.18.2", "commander": "^12.0.0" }, ... "hooks": { "request:before": "hooks/request-before.js", "request:after": "hooks/request-after.js", "session:end": "hooks/session-end.js" }Recommendation
Review the package source and lock dependency versions before production use, especially because registry provenance is listed as unknown.