Agent Memes

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill mostly matches its meme-sending purpose, but it should be reviewed because it pushes the agent to post automatically and contains unsafe shell/context handling that could cause unintended messages or command execution.

Install only if you want your agent to be able to post images into chat platforms. Before using it, require confirmation for sends, configure explicit accounts and targets, use least-privileged bot tokens, avoid sensitive images with LINE, and patch or avoid the fallback sender until the bash -c command construction is removed.

Static analysis

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Env credential access

Critical

Finding: Environment variable access combined with network send.

Potential exfiltration

Warn

Finding: Sensitive-looking file read is paired with a network send.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ASI01: Agent Goal Hijack

Medium

What this means

Your agent may post meme images into chats unexpectedly, which could be disruptive, embarrassing, or inappropriate in work or public channels.

Why it was flagged

The skill explicitly directs the agent to invoke an external message-sending command proactively and on routine replies, rather than only when the user asks.

Skill content

Also use proactively when YOU feel something. TRIGGER CHECKLIST — ask yourself EVERY reply ... If any answer is yes, call `memes send <category>` BEFORE or AFTER your text reply.

Recommendation

Use this skill only with explicit user confirmation or narrower triggers, and consider disabling autonomous invocation for it.

ASI05: Unexpected Code Execution

High

What this means

A malicious or malformed caption, target, or poisoned runtime value could cause local shell commands to run when the fallback sender is used.

Why it was flagged

The OpenClaw fallback path builds a shell command string from runtime values such as channel, target, media path, and caption, then executes it through bash -c. Embedded shell syntax in those values could be executed.

Skill content

cmd+=" --media \"$meme_path\""; [[ -n "$caption" ]] && cmd+=" --message \"$caption\""; timeout "$send_timeout" bash -c "$cmd" 2>&1

Recommendation

Replace the string-built bash -c call with an argv array/direct exec, validate channel and target values, and safely pass captions without shell re-parsing.

ASI07: Insecure Inter-Agent Communication

Medium

What this means

A local process or stale/poisoned context file could redirect meme posts to an unintended chat or user.

Why it was flagged

The skill trusts a /tmp file to select the platform and message target, with only a freshness check and no ownership or permission validation.

Skill content

OPENCLAW_CHANNEL_FILE="${OPENCLAW_CHANNEL_FILE:-/tmp/openclaw-current-channel}" ... _ctx=$(cat "$OPENCLAW_CHANNEL_FILE") ... MEMES_CURRENT_TARGET="${_ctx#*:}"

Recommendation

Use an authenticated runtime context or a per-user private file, verify owner and permissions, and require an explicit target when context is uncertain.

ASI03: Identity and Privilege Abuse

Medium

What this means

When used, the skill can post through configured bot or app accounts, and it may use a default account unless you explicitly configure one.

Why it was flagged

The helper reads bot tokens and app secrets from environment variables or the local OpenClaw config, and some platforms default to the first configured account if none is specified.

Skill content

CONFIG="${OPENCLAW_CONFIG:-$HOME/.openclaw/openclaw.json}" ... discord) ... return accts[name]?.token ... feishu) ... return a.appId + ' ' + a.appSecret;

Recommendation

Use least-privileged bot credentials, set explicit account and target defaults, and review which accounts are available in openclaw.json.

ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Your local meme library and installed command depend on external repository contents and future updates.

Why it was flagged

The user-run setup downloads an unpinned external meme repository and installs a local CLI command.

Skill content

git clone https://github.com/kagura-agent/memes "$MEME_DIR" ... cp "$SCRIPT_DIR/memes.sh" "$HOME/.local/bin/memes"

Recommendation

Run setup manually, inspect or pin the meme repository if needed, and remove the installed CLI if you no longer use the skill.

ASI07: Insecure Inter-Agent Communication

Low

What this means

If you use LINE with private custom images, those images may become publicly reachable temporarily through the hosting service.

Why it was flagged

For LINE, local images are first uploaded to a third-party public file host before being sent through LINE.

Skill content

Local files are auto-uploaded to catbox.moe ... IMAGE_URL=$(curl ... "https://litterbox.catbox.moe/resources/internals/api.php")

Recommendation

Use LINE sending only with non-sensitive images, or modify the script to use a trusted/private image hosting path.