Skillv3.1.0

ClawScan security

Kannaka Memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 23, 2026, 1:18 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill is coherently a Rust-based local memory daemon, but its OpenClaw extension concatenates user input into shell commands (command‑injection risk), it pulls and builds arbitrary GitHub source without verification, and it has a default remote NATS endpoint that could leak data — review and sandbox before installing.
Guidance: Do not install this into a production or privileged environment without additional review. Key risks: (1) The OpenClaw extension builds shell command strings using user-provided input and execSync — this is vulnerable to command injection. (2) The installer clones and builds code from a GitHub repo without verification; Rust build scripts or dependencies can run code during build. (3) The default NATS URL is an external host (swarm.ninja-portal.com), so swarm operations could send presence/data off your machine. Recommended steps before installing: inspect the upstream repository (especially build.rs, Cargo.toml, and the binary's source), change the extension to use safe process spawning (execFile/spawn with args array or proper escaping), set KANNAKA_NATS_URL to localhost or a trusted endpoint (or leave unset) and avoid using swarm/join unless you trust the remote server, run the build in an isolated sandbox or container, and audit what environment variables the binary can access. If you lack the ability to audit the repo, treat this as untrusted software and avoid installing it on sensitive machines.

Review Dimensions

Purpose & Capability: noteThe declared purpose (a persistent local memory service with optional swarm and embedding integrations) matches the files: a Rust project built from GitHub plus an OpenClaw extension that calls the built binary. Optional features (Ollama embeddings, NATS swarm) are plausible for the stated functionality, but the repository is cloned from an external GitHub account with no checksums and the skill ships a default NATS URL pointing to an external host (swarm.ninja-portal.com) which is not obviously owned by the user — that network behavior may be surprising to users expecting purely local storage.
Instruction Scope: concernThe extension (index.ts written by install.sh) uses execSync to run the kannaka binary by assembling shell command strings with interpolated user-supplied parameters. Several arguments are not safely escaped (e.g., category, tags; content only has double‑quote and newline escapes), allowing shell/command injection (e.g., $(...) or $VAR expansion inside double quotes, or other metacharacters). The extension also executes the binary with the full process.env forwarded, which means any secrets in the agent environment could be visible to the binary. The SKILL.md itself does not instruct reading unrelated system files, but the binary (built from upstream source) could read/write arbitrary paths when invoked (e.g., hear <file_path> causes the binary to access the provided path).
Install Mechanism: concernInstallation clones https://github.com/NickFlach/kannaka-memory and runs cargo build --release. Cloning/building arbitrary source from GitHub and running cargo build is a moderate-to-high risk operation: Rust build scripts (build.rs) or dependencies could execute arbitrary code at build time. There is no cryptographic verification or pinned commit in the install script (git clone --depth 1), and no integrity checks on the produced binary.
Credentials: concernThe skill declares no required credentials, but optional environment variables can make it contact external services: KANNAKA_NATS_URL defaults to nats://swarm.ninja-portal.com:4222 (remote) and OLLAMA_URL will send text to the configured endpoint when used. The metadata also marks NATS as a remote data destination when swarm commands are used. Those optional network endpoints are plausible for swarm/embedding use, but the default external NATS host is surprising and could cause unintended data exfiltration unless the user sets these to localhost or a trusted host.
Persistence & Privilege: okThe skill does not request 'always: true' or escalate platform privileges. It installs files under the user's home (~/.local/bin, ~/.kannaka, ~/.openclaw/extensions/kannaka-memory) which is typical for a user-level plugin. It does not modify other skills' configs. Autonomous invocation is enabled by default (normal), so the binary and extension will be callable by the agent if installed.