Env credential access
Critical
- Finding
- Environment variable access combined with network send.
Memory System Pro V2
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This memory skill is purpose-aligned, but it needs review because it can access files outside its memory folder, builds shell commands from memory/search text, and can automatically send private memories to an external LLM.
Install only if you are comfortable with persistent memories being stored locally and, when AutoDream is enabled with a MiniMax key, sent to MiniMax for consolidation. Before using it, restrict memory_get and memory_write to the memory directory, fix the shell-based Ollama call, disable or review AutoDream by default, and add backups for memory changes.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A crafted memory entry or search query could potentially cause unintended local commands to run with the agent's permissions.
Why it was flagged
The skill constructs a shell command with embedding text inserted into a quoted curl command and executes it via execAsync. Only double quotes are escaped, so search queries or memory contents containing shell metacharacters such as single quotes could break out of the command.
Skill content
const curlCmd = `curl -s http://localhost:11434/api/embeddings -d '{"model": "${model}", "prompt": "${cleanText.replace(/\"/g, '\\\"')}"}'`;
const { stdout } = await execAsync(curlCmd, { timeout: 30000 });Recommendation
Avoid shell construction for embeddings; call Ollama with a safe HTTP client or spawn curl with an argument array, and validate or escape all user-controlled text.
What this means
If the tool is invoked with an absolute path or ../ traversal, it may read arbitrary files accessible to the OpenClaw process rather than only memory files.
Why it was flagged
The memory_get path resolver allows absolute paths and does not normalize-and-check that relative paths stay inside memoryDir. This contradicts the tool description that paths are relative to the memory directory.
Skill content
if (!path.isAbsolute(p)) {
return path.join(baseDir, p);
}
return path.resolve(p);Recommendation
Constrain memory_get to the configured memory directory by resolving the final path and rejecting absolute paths or paths that escape the directory.
What this means
The agent could overwrite or create files outside the intended memory store if given or induced to use an unsafe path.
Why it was flagged
The memory_write path resolver also allows absolute paths or traversal outside memoryDir, and the overwrite mode writes directly to the resolved path.
Skill content
if (!path.isAbsolute(p)) {
return path.join(baseDir, p);
}
return path.resolve(p);
...
await fs.writeFile(fullPath, content, 'utf-8');Recommendation
Restrict writes to a safe memory subtree, reject traversal and absolute paths, and consider requiring explicit user confirmation for overwrite mode.
What this means
Private user preferences, feedback, project details, or references stored as memories may be transmitted to MiniMax during automatic consolidation.
Why it was flagged
AutoDream builds a prompt from memory file contents and sends it to the external MiniMax API. The skill documents User and Feedback memories as private, and AutoDream is enabled by default.
Skill content
await fetch('https://api.minimaxi.com/anthropic/v1/messages', {
method: 'POST',
headers: { ... 'Authorization': `Bearer ${apiKey}` ... },
body: JSON.stringify({ ... messages: [ { role: 'user', content: prompt } ] })
});
...
.map(f => `## ${f.relativePath}\n${f.content.slice(0, 3000)}`)Recommendation
Make external LLM use opt-in, clearly declare the MiniMax credential and data sharing, provide redaction/exclusion controls, and require approval before sending private memories.
What this means
A mistaken or manipulated consolidation could remove or rewrite memories and affect future agent sessions.
Why it was flagged
The documented default workflow lets a scheduled LLM process automatically mutate persistent memory state, including deletion and index updates, without describing a dry run, approval gate, backup, or rollback.
Skill content
定时触发 (每天 22:00) 或 手动触发
↓
扫描所有记忆文件 + 会话历史
↓
调用 MiniMax LLM 分析
↓
自动执行整合:
- 新增遗漏的记忆
- 删除过时的记忆
- 更新 MEMORY.md 索引Recommendation
Use a review-before-apply workflow for AutoDream changes, keep backups/version history, and show users exactly which memory files will be added, deleted, or updated.
What this means
Incorrect, stale, or maliciously edited memory files could steer future responses.
Why it was flagged
Automatic loading of persistent memories is central to this skill, but it means stored content can influence later sessions and should be treated as user-editable context rather than trusted instructions.
Skill content
"hooks": {
"onSessionStart": {
"description": "会话启动时自动加载记忆"
},
"onHeartbeat": {
"description": "心跳时检查并触发 AutoDream"
}
}Recommendation
Review memory files periodically, separate facts from instructions, and ensure the agent treats loaded memories as context that can be challenged or confirmed.
What this means
Users may not realize the skill can use a local MiniMax credential for external API calls.
Why it was flagged
The code reads a MiniMax API key from configuration or environment, while the registry metadata lists no required environment variables or primary credential.
Skill content
if (config.autoDream.apiKey.startsWith('env:')) {
const envVar = config.autoDream.apiKey.slice(4);
return process.env[envVar];
}
...
return process.env.MINIMAX_CODING_API_KEY;Recommendation
Declare the MiniMax credential in metadata and document when it is used, what data is sent, and how to disable it.