Back to skill

Security audit

The first official Unibase Membase skill: decentralized persistent memory, purpose-built for OpenClaw Bot.

Security checks across malware telemetry and agentic risk

Overview

This memory backup skill fits its stated purpose, but it handles secrets and local memory restore operations with too little protection or reviewable scope.

Review carefully before installing. Do not run the documented echo commands for secrets, avoid passing backup passwords directly in shell arguments, use --no-json for status until config output is redacted, and restore only after preserving current memory files and verifying the backup ID/source. Request a package that includes the lib implementation before relying on its encryption, network, and restore behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill explicitly relies on sensitive environment variables such as MEMBASE_SECRET_KEY and MEMBASE_BACKUP_PASSWORD, but does not declare corresponding permissions. This creates a transparency and policy gap: an agent may access secrets the user did not realize the skill needed, increasing the chance of unintended secret exposure or unauthorized use.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation conditions include broad phrases like backing up conversations, workspace, or mentioning generic backup intent, which can cause the skill to trigger in situations beyond a user's informed expectation. In this context, over-broad triggering is risky because the skill handles sensitive memory data and can perform backup/restore operations that affect local state and remote encrypted storage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The restore workflow says it will restore files into the workspace but does not prominently warn that it writes local files and may overwrite existing MEMORY.md or memory/**/*.md content. Because this skill manages persistent agent memory, an uninformed restore could destroy current state, reintroduce stale or malicious content, or cause significant integrity loss.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
- `--password <pwd>` or `-p <pwd>` - Encryption password (required if not in env)
- `--incremental` or `-i` - Only backup changed files since last backup
- `--workspace <path>` - Custom workspace directory
- `--no-validate` - Skip password strength validation
- `--no-json` - Don't output JSON for agent parsing

**Example conversation:**
Confidence
88% confidence
Finding
--no-validate

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.