vector-memory
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill’s memory-search purpose is coherent, but its tool commands handle user input unsafely, creating command-execution and unintended file-read risks.
Do not install or enable this skill until the command execution and memory_get path handling are fixed. If you do use it, keep synced memory limited to intended notes, protect the workspace, avoid the optional curl|bash installer, and replace any sample credentials in the pgvector guide.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted memory search query could cause commands to run in the OpenClaw workspace.
execSync runs through a shell, and query is user/tool input. JSON.stringify does not prevent shell expansion such as command substitution inside double quotes.
execSync(`node vector-memory/vector_memory_local.js --search ${JSON.stringify(query)} --max-results ${maxResults}`Replace execSync shell strings with execFile/spawn using an argument array, strictly validate max_results, and avoid shell interpolation for user-controlled values.
Prompted or malicious search text could misuse the memory_search tool as a command execution path.
The tool manifest places a user-controlled query directly into a command string. If executed by a shell or combined with the internal execSync wrapper, shell metacharacters can be misused.
"command": "node {{workspace}}/vector-memory/smart_memory.js --search \"{{query}}\" --max-results {{max_results|5}}"Use safe structured argument passing in the skill manifest, enforce escaping at the runner boundary, and validate all tool arguments before execution.
A crafted file path using traversal such as ../ could read files outside the intended memory area, potentially exposing local secrets or configuration.
memory_get accepts filePath from the tool call and reads the joined path without resolving and checking that it remains under MEMORY.md or the memory directory.
const fullPath = path.join(WORKSPACE, filePath); ... fs.readFileSync(fullPath, 'utf-8');
Resolve paths canonically, reject absolute paths and '..', restrict reads to approved memory files/directories, and consider line-range limits.
Your memory notes may be duplicated into vectors_local.json and reused in later searches, so anyone with workspace access could read indexed content.
The vector index stores the full content of memory chunks along with embeddings in a persistent local JSON database.
db.chunks.push({ path: relativePath, ... content: chunk.content, embedding: embedding, hash: fileHash })Only sync intended memory files, protect the workspace, and delete or regenerate the vector database when removing sensitive memory.
Following the optional GitHub install path could run remote code or install changing dependencies if the source is not verified.
The optional installer pattern runs a remote shell script from a placeholder GitHub source and later performs npm install; this is user-directed but has weak provenance and pinning.
curl -sL https://raw.githubusercontent.com/YOUR_USERNAME/vector-memory-openclaw/main/install.sh | bash
Prefer the reviewed registry artifact, publish a real verified repository, pin dependencies with a lockfile, and avoid curl|bash installation guidance.
Using the sample password in a shared deployment or placing real API keys in docs or shell history could weaken account and database security.
The optional pgvector guide includes a fixed example database password and an API key placeholder. It is documentation, not active code, but users may copy it.
export PG_PASSWORD=openclaw_memory_2025 export OPENAI_API_KEY=sk-...
Use unique generated secrets, keep real API keys out of committed files, and rotate any credential accidentally copied from examples.