Solid Agent Storage
Security checks across malware telemetry and agentic risk
Overview
The skill mostly matches its Solid storage purpose, but it needs review because it creates persistent online accounts and credentials while using weak generated passwords and unsafe local path handling for agent names.
Install only if you are comfortable giving the agent a persistent Solid identity and remote Pod storage. Use a Solid server you trust, treat printed Bearer tokens as secrets, avoid sensitive data unless needed, and do not use unusual agent names until the path validation and password-generation issues are fixed.
VirusTotal
44/44 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or malicious agent name could cause the skill to write credentials outside its stated directory or delete more local files than intended.
The local credential path is built directly from the user-supplied agent name, and deletion uses recursive force removal. Names containing path traversal such as '..' could escape the intended ~/.interition/agents directory if accepted in the workflow.
const agentDir = join(getStoreDir(), name); ... rmSync(agentDir, { recursive: true, force: true });Validate agent names against a safe pattern, reject path separators and '..', resolve paths, and ensure every write/delete remains inside ~/.interition/agents before performing filesystem operations.
If an attacker can guess the agent name and approximate provisioning time, the Solid account password may be easier to guess than expected, potentially exposing the agent’s Pod and account controls.
Provisioning creates a password-login account using a predictable password derived from the agent name and current timestamp instead of cryptographically random secret material.
const email = `${name}@agents.interition.local`; const password = `agent-${name}-${Date.now()}`; ... await addPasswordLogin(serverUrl, account.cookie, email, password);Generate account passwords with cryptographically secure randomness, avoid predictable components, and consider whether password login is needed at all after client credentials are issued.
Users may incorrectly assume access tokens will never appear in command output or logs, even though the token helper prints them for use with curl.
This security claim is inaccurate: dist/cli/get-token.js prints a JSON object containing token: json.access_token to stdout. Token output is purpose-aligned, but the manifest understates the exposure.
Credentials, tokens, and passphrases are never written to stdout or log files
Update the security documentation to state that short-lived Bearer tokens are intentionally printed to stdout, and warn users not to store or share command output containing tokens.
Information stored in the Pod can persist beyond one chat and may affect future agent behavior or be shared if ACLs are changed.
The skill intentionally provides persistent memory in a Solid Pod, which is purpose-aligned and disclosed, but persisted notes and preferences can become sensitive or be reused across tasks.
You need to remember something across conversations (notes, preferences, learned facts)
Store only information you are comfortable persisting, periodically review Pod contents and ACLs, and use a Solid server you trust.
Importing the package entry point or relying on the advertised sharing helpers may fail unexpectedly.
The provided file manifest does not include dist/sharing/index.js, so the package entry point references a missing module. The included management scripts do not appear to use this path, but it is a package completeness issue.
export { grantAccess, revokeAccess } from './sharing/index.js';Publish the missing sharing module or remove the export, and verify the packaged artifact is complete before installation.