OpenClaw Universal Memory
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-universal-memory Version: 1.0.0 The skill bundle is classified as suspicious due to multiple potential prompt injection vulnerabilities against the AI agent and the underlying `openclaw_memory.cli` module. The `SKILL.md` documentation provides commands that accept user-controlled arguments such as `--dsn`, `--input`, `--query`, and `--connector-config`. The `scripts/run_memory.py` script passes these arguments directly to `subprocess.run`, which could lead to arbitrary file reads (via `--input`), SQL injection (via `--query`), or DSN exposure if the agent is prompted to provide sensitive values. While the `SKILL.md` includes security advice (e.g., not passing raw passwords in command-line arguments), the `--dsn` argument is still accepted by `run_memory.py` for the `configure-dsn` action, creating an inconsistency. There is no evidence of intentional malicious behavior like data exfiltration or persistence mechanisms in the provided files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The code that would initialize schemas, ingest data, use connectors, and handle DSN configuration is not visible in the supplied artifacts, so its actual behavior cannot be verified here.
The reviewed manifest contains only SKILL.md, scripts/run_memory.py, and setup.json, while the launcher delegates all real work to an openclaw_memory.cli module that is not included for review.
"-m", "openclaw_memory.cli", args.action
Do not install or run this until the full package source, dependency files, and connector documentation are available and reviewed; pin trusted dependencies if packaging is added.
If broad database credentials are used, the skill or its underlying package could affect more data than intended.
The skill needs database credentials to read and write its Postgres memory tables; this is expected for the stated purpose, but it is sensitive authority.
DSN provided via environment variable (`DATABASE_DSN` by default).
Use a dedicated database or schema and least-privilege credentials limited to the intended um_* tables; avoid passing raw passwords in command-line arguments.
Private emails, messages, tasks, or other ingested records may remain searchable in Postgres until the user defines retention and deletion practices.
The skill stores source records, metadata, and cursor history for later search and retrieval, which is a persistent memory store.
A connector returns normalized records + next cursor: ... `raw_json` ... `meta_json` ... `next_cursor`
Only ingest sources you are authorized to process, restrict database access, define retention/deletion rules, and validate connector outputs before bulk ingestion.