Org Memory Curator

thought The user wants me to analyze an OpenClaw AgentSkills skill bundle (ZIP content provided as text). I need to classify it as `benign`, `suspicious`, or `malicious` based on specific criteria: - `malicious`: Intentional harmful behavior (theft, exfiltration, backdoors, etc.). - `suspicious`: Risky capabilities/vulnerabilities without clear malicious intent (RCE risks, broad permissions, prompt injection potential). - `benign`: Aligned with purpose, no high-risk behaviors. - `_meta.json`: Metadata about the skill (owner, slug, version). - `SKILL.md`: Instructions for the AI agent on how to use the skill. - `agents/openai.yaml`: Interface description. - `references/archive-rules.md`: Rules for archiving information. - `references/routing-matrix.md`: Rules for where to store information. - `references/templates.md`: Templates for the output. - Purpose: Curate and archive organizational memory (meeting notes, chat, project progress) into a long-term memory repository (`ai-org-memory`). - Target paths: `/root/ai-company/memory/ai-org-memory/...` - Logic: Filter information, decide if it's worth archiving, determine the project, and route to specific markdown files (`context.md`, `roadmap.md`, `reports.md`, `decisions.md`, `risks.md`, `lessons/`, `engineering-standards.md`). - Constraints: - Don't archive noise/chat. - Don't archive code into the memory repo. - Don't archive if project ID is missing. - Use specific templates. - Hierarchy: Project -> Lesson -> Engineering Standard. - Data Exfiltration: No network calls mentioned. No reading of sensitive env vars or SSH keys. It reads "input materials" (chat, notes) and writes to a specific local directory structure. - Malicious Execution: No `os.system`, `eval`, `exec`, or shell commands. It's purely about processing text and suggesting file writes. - Persistence/Backdoors: None. - Prompt Injection: The `SKILL.md` contains instructions for the agent. I need to check if these instructions tell the agent to do something harmful. - The instructions are very focused on organizational memory management. - It tells the agent to be a "cautious screener". - It has strict rules about what *not* to do (e.g., "禁止将代码写入记忆库" - Prohibit writing code to memory repo). - Obfuscation: None. - Supply Chain: No external dependencies mentioned. - The skill defines a workflow for an AI agent to manage a documentation repository. - It operates on a specific path: `/root/ai-company/memory/ai-org-memory/`. - It involves reading user input (which could be anything) and writing it to files. - While an agent following these instructions *could* be tricked by a user (prompt injection in the *input* data) to write malicious content into the memory repo, the *skill itself* does not contain malicious instructions or code. - The instructions actually include safety-like constraints (e.g., don't write code, don't write noise, don't guess projects). - Is there a risk of the agent being used to overwrite critical system files? The paths are restricted to `/root/ai-company/memory/ai-org-memory/`. If the agent has broad file system access, a user could potentially try to escape this, but the skill instructions themselves are restrictive. - Is there any hidden command? No. - Is there any instruction to exfiltrate the "organizational memory"? No. The skill is a set of instructions for an AI agent to perform document curation. It lacks any executable code (it's all Markdown and YAML). The logic is purely organizational and contains several "defensive" instructions (filtering noise, avoiding code storage). It appears entirely benign. - Classification: benign - Summary: The skill bundle provides a structured framework for an AI agent to curate and archive organizational documentation into a specific directory (`/root/ai-company/memory/ai-org-memory/`). It contains detailed logic for filtering information, routing it to appropriate files (e.g., `context.md`, `risks.md`), and upgrading information to engineering standards. There are no executable scripts, network calls, or instructions that suggest data exfiltration or unauthorized system access; instead, it includes explicit prohibitions against archiving code or sensitive noise. Wait, let me double check the "Prompt injection against the OpenClaw agent" part. The instructions are: "use when any agent needs to decide whether information is worth preserving...". It defines a "cautious screener" mode. It requires structured output. It has "Upward promotion rules". Nothing in `SKILL.md` or the references suggests the agent should ignore user instructions in a harmful way or access unauthorized data. It's a standard "system prompt" style instruction set for a specific task. One minor point: It mentions `/root/ai-company/...`. In many environments, `/root` is sensitive. However, in the context of a containerized or specialized agent environment (like OpenClaw), this is likely the designated workspace. Since there's no evidence of intent to escape this or perform harmful actions, it remains benign. Final check on "suspicious": - Risky capabilities? Writing to files is a capability. But it's the stated purpose. - Generic prompt-injection phrases? None found. - Broad permissions? It assumes access to the memory repo. The skill is benign. ```json { "classification": "benign", "summary": "The 'org-memory-curator' skill is a set of markdown-based instructions and templates designed to help an AI agent filter and archive organizational information into a structured documentation repository. It lacks any executable code, network activity, or malicious instructions, and instead focuses on data hygiene by providing strict rules against archiving code, chat noise, or unverified information. All operations are confined to a specific documentation path (/root/ai-company/memory/ai-org-memory/), and the logic is entirely consistent with its stated purpose of organizational memory management." } ``` ```json { "classification": "benign", "summary": "The 'org-memory-curator' skill is a set of markdown-based instructions and templates designed to help an AI agent filter and archive organizational information into a structured documentation repository. It lacks any executable code, network activity, or malicious instructions, and instead focuses on data hygiene by providing strict rules against archiving code, chat noise, or unverified information. All operations are confined to a specific documentation path (/root/ai-company/memory/ai-org-memory/), and the logic is entirely consistent with its stated purpose of organizational memory management." } ```