Self-improving Agent Memory Upgrade (SurrealDB)

Security checks across malware telemetry and agentic risk

Overview

This memory skill is mostly transparent about what it does, but it exposes powerful install, repair, service-start, source-patching, secret-handling, and background-memory behaviors that need careful review before use.

Install only if you are comfortable with a memory system that can read local memory files, send them to OpenAI, store long-lived facts, and optionally run background extraction. Avoid the web UI and gateway auto-repair/install buttons unless you trust the local environment; install SurrealDB manually, use a dedicated Python venv, change root/root credentials, keep SurrealDB bound to 127.0.0.1, audit memory files for secrets, and verify cron and auto-injection settings before enabling them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (63)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def install_python_deps() -> dict: """Install Python dependencies.""" try: result = subprocess.run( [sys.executable, "-m", "pip", "install", "surrealdb", "openai", "pyyaml"], capture_output=True, text=True,
Confidence: 90% confidence
Finding: result = subprocess.run( [sys.executable, "-m", "pip", "install", "surrealdb", "openai", "pyyaml"], capture_output=True, text=True, timeout=120

subprocess module call

Medium

Category: Dangerous Code Execution
Content: DATA_DIR.mkdir(parents=True, exist_ok=True) # Start in background process = subprocess.Popen( ["surreal", "start", "--user", "root", "--pass", "root", f"file:{DB_FILE}"], stdout=subprocess.PIPE, stderr=subprocess.PIPE,
Confidence: 93% confidence
Finding: process = subprocess.Popen( ["surreal", "start", "--user", "root", "--pass", "root", f"file:{DB_FILE}"], stdout=subprocess.PIPE, stderr=subprocess.PIPE,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if not schema_file.exists(): return {"success": False, "error": "schema.sql not found"} result = subprocess.run( [ "surreal", "import", "--conn", "http://localhost:8000",
Confidence: 92% confidence
Finding: result = subprocess.run( [ "surreal", "import", "--conn", "http://localhost:8000", "--user", "root", "--pass", "root

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if system == "darwin": # macOS - try homebrew first if shutil.which("brew"): result = subprocess.run( ["brew", "install", "surrealdb/tap/surreal"], capture_output=True, text=True,
Confidence: 91% confidence
Finding: result = subprocess.run( ["brew", "install", "surrealdb/tap/surreal"], capture_output=True, text=True, t

subprocess module call

Medium

Category: Dangerous Code Execution
Content: timeout=300 ) else: result = subprocess.run( ["sh", "-c", "curl -sSf https://install.surrealdb.com | sh"], capture_output=True, text=True,
Confidence: 99% confidence
Finding: result = subprocess.run( ["sh", "-c", "curl -sSf https://install.surrealdb.com | sh"], capture_output=True, text=True,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: timeout=300 ) elif system == "linux": result = subprocess.run( ["sh", "-c", "curl -sSf https://install.surrealdb.com | sh"], capture_output=True, text=True,
Confidence: 99% confidence
Finding: result = subprocess.run( ["sh", "-c", "curl -sSf https://install.surrealdb.com | sh"], capture_output=True, text=True, timeo

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill is presented primarily as a memory system, but the documentation describes substantially broader and more privileged behavior: installing software, starting services, modifying OpenClaw source, and performing migrations and maintenance. That mismatch is dangerous because users may enable it expecting a bounded memory feature while actually granting a package installer, local service manager, and code-patching integration path with significant host impact.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The changelog claims scanner-flagged suspicious behaviors were eliminated, but the same section explicitly states high-risk behaviors like a network installer and source-patching still exist behind opt-in controls. This is a misleading security claim that can cause reviewers or users to underestimate residual risk and approve or run the skill with insufficient scrutiny.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: This gateway exposes installation and service-management actions (`memory.install.*`, repair, startup) that go beyond a normal memory interface and materially increase the skill's authority. In an agent setting, these capabilities let a caller modify the host system and start persistent software, which expands the attack surface and makes abuse or unintended side effects more likely.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: `installSurrealDb()` executes `curl -sSf https://install.surrealdb.com | sh`, which downloads and runs remote shell code without integrity verification or review. This is a classic supply-chain/RCE risk: compromise of the endpoint, TLS interception, or a malicious script response leads to arbitrary code execution on the host.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code installs Python packages at runtime via `pip install ...` from gateway-triggerable handlers, causing host modification and dependency resolution from remote registries as a side effect. This creates supply-chain risk and lets an agent or caller alter the runtime environment without a clear trust boundary.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: `startSurrealDb()` writes to the filesystem and spawns a detached database server process that persists beyond the request lifecycle. In an agent-exposed interface, process creation and persistence are sensitive administrative actions that can be abused for stealthy service creation, resource consumption, or unauthorized state changes.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The extraction handler reads `~/.openclaw/secrets.json` and injects all key/value pairs into the child process environment. This over-broad secret exposure violates least privilege and can leak unrelated credentials to the Python script, its subprocesses, logs, crash dumps, or any code execution reached within that extraction path.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill claims per-agent isolation, but get_episode() fetches any episode by ID without checking agent_id and get_stats() aggregates all episodes globally. In a multi-tenant or multi-agent deployment, this can expose other agents' data and leak cross-agent usage patterns, violating the advertised isolation boundary.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The fallback text search path queries episode records by goal/task text and completed_at without filtering by agent_id, while the semantic-search path does apply agent scoping. If embeddings are unavailable or fail, queries can return episodes belonging to other agents, creating an inconsistent and bypassable isolation control.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The tool hard-codes a single SurrealDB namespace/database and root credentials, so all users of the CLI operate on the same memory store rather than isolated per-agent memory. In a memory system, this creates cross-tenant data exposure and contamination risks: one agent can read, infer, or overwrite another agent's facts, defeating the isolation promised by the skill metadata.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill claims per-agent isolation, but the implementation uses a single shared SurrealDB namespace/database and a shared cache file under the user's home directory with no agent identifier or access control boundary. In a multi-agent or multi-session environment, one agent can read or overwrite another agent's stored facts or cached context, causing cross-tenant data leakage and context poisoning.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The code hard-codes a single SurrealDB namespace/database and none of the read or write paths include any agent identifier, tenant boundary, or access-control filter. In a memory skill that claims per-agent isolation, this means one agent can read or overwrite another agent's stored facts, causing cross-tenant data leakage and integrity issues.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The embedding helper sends raw query/content text to OpenAI, which is an external network destination outside the local SurrealDB memory store described by the skill. Because the text may contain sensitive memory contents, queries, or user-provided facts, this expands the trust boundary and can leak confidential data to a third party without clear disclosure or opt-in.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill description promises per-agent isolation, but the code uses a single shared SurrealDB namespace and database with no agent identifier in stored records or query filters. In a multi-agent deployment, this can cause cross-agent data exposure, contamination of memory, and unauthorized retrieval or modification of another agent's facts.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The UI exposes host-level installation and process-management capabilities that exceed the legitimate scope of a memory-management interface. This broadens the blast radius from application data management to full host modification, making abuse significantly more dangerous in this skill context.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The auto-repair workflow chains installation, package management, service startup, and schema initialization into a single remotely triggerable action. In the context of a memory skill, this is unjustified and especially dangerous because it gives an attacker one-call host reconfiguration and code-execution pathways.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: These POST endpoints perform sensitive administrative and destructive actions without any authentication, authorization, or CSRF protection, while also sending permissive CORS headers. Even if bound to localhost by default, local malicious webpages or users on a misconfigured bind can invoke repair, install, start, schema import, and maintenance actions.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The instructions explicitly start SurrealDB with `--user root --pass root` and later repeat `user: root` / `password: root`, normalizing default administrative credentials. Even though the service binds to localhost, any local process, compromised user session, container escape, or forwarded port could authenticate with trivial credentials and fully control or exfiltrate the memory database.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README promotes automatic injection of retrieved memory into agent prompts but does not warn users that sensitive, stale, or cross-context data may be surfaced into future interactions. In a memory skill whose core purpose is storing and recalling user/task knowledge, this omission increases the chance of privacy leakage, over-sharing, and prompt contamination through automatically injected context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal