Solid Agent Storage
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted or mistaken agent name containing path traversal sequences could write credential files outside the intended directory, and deprovisioning could recursively remove an unintended directory if credentials for that derived path are loaded.
The CLI agent name is used directly as a filesystem path component for writes, reads, and recursive deletion. There is no slug validation or resolved-path check to ensure the path stays under ~/.interition/agents.
const agentDir = join(getStoreDir(), name); ... rmSync(agentDir, { recursive: true, force: true });Restrict agent names to a safe slug pattern, reject path separators and '..', verify resolved paths remain under the credential store directory, and add explicit confirmation before recursive deletion.
On a shared or public Solid server, a predictable account password could make the agent's identity and Pod account easier to guess or attack if the agent name and provisioning time are known or inferred.
The skill creates a remote CSS password-login credential using the agent name and current timestamp rather than a high-entropy random secret.
const email = `${name}@agents.interition.local`; const password = `agent-${name}-${Date.now()}`; ... await addPasswordLogin(serverUrl, account.cookie, email, password);Generate account passwords with cryptographically secure randomness, rotate credentials for already-provisioned agents, and avoid creating password logins if server-generated client credentials are sufficient.
Users may rely on stronger containment and token-handling guarantees than the code actually provides, increasing the chance of token exposure or unsafe use of agent names.
These safety claims are overstated: get-token.js prints the bearer token to stdout, and credentials-store.js can derive paths outside ~/.interition when agent names are not validated.
- **No other files**: The Skill does not read or write files outside `~/.interition/` ... - **Never logged**: Credentials, tokens, and passphrases are never written to stdout or log files
Update the security manifest to accurately describe token output and filesystem behavior, and fix the underlying path validation issue.
Sensitive, stale, or incorrect information placed in the Pod may persist across sessions or be shared with other agents if access controls are changed.
Persistent memory and shared Pod data are the stated purpose of the skill, but persisted notes or shared resources can later be reused by agents.
You need to **remember something** across conversations (notes, preferences, learned facts) ... **share data** with another agent who also has a Pod
Store only information you intend to persist, periodically review or delete old memory resources, and verify ACLs before sharing.
A remote Solid server operator or compromised server could affect the confidentiality and availability of stored agent data.
The skill exchanges credentials, tokens, and Pod data with the configured Solid server, which is necessary for the integration and is disclosed.
**Default target**: `https://crawlout.io` ... The Skill contacts whatever server is set in `SOLID_SERVER_URL`. If you point it at a remote server, credentials and tokens will be exchanged with that server.
Use a Solid server you control or trust, verify SOLID_SERVER_URL before provisioning, and avoid storing highly sensitive data on an untrusted shared server.