Security audit

Kannaka Memory

Security checks across malware telemetry and agentic risk

Overview

The skill matches its memory and swarm purpose, but its installer creates a persistent extension that can execute unsafe shell commands from tool inputs.

Review before installing, especially on any machine with sensitive files or credentials. If testing, use an isolated environment, inspect or pin the exact upstream commit being built, avoid storing secrets, and do not enable swarm or remote Ollama endpoints unless you intend that activity or text to leave the machine. The extension should be changed to use argument-array process execution, strict input validation, and confirmations for deletion and networked actions before normal use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The installer writes an OpenClaw extension that exposes multiple local tools which invoke a locally installed binary via shell command construction. Several commands interpolate user-controlled fields into a string passed to execSync, and escaping is incomplete, creating command-injection risk and granting the skill persistent local code-execution capability beyond what the description clearly warns about.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The installer clones remote code from GitHub and builds it locally with cargo, which executes a trust boundary crossing from the advertised skill into arbitrary upstream repository contents. Even if common for developer tooling, this is dangerous when not prominently disclosed because users may believe they are installing only the described skill behavior rather than fetching and compiling unpinned remote code.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill documents remote transmission to a public/default NATS endpoint and optional remote Ollama hosts, but it does not prominently warn that memory contents, swarm presence, or text sent for embeddings may leave the local machine. Because this is a memory-oriented skill handling potentially sensitive agent data, the absence of a clear privacy warning materially increases the risk of accidental data disclosure.

Missing User Warnings

Low

Confidence: 79% confidence
Finding: The extension exposes a memory-deletion capability (`kannaka_forget`) without any caution about permanence, confirmation requirements, or recovery limitations. In a persistent memory skill, destructive actions can cause unintended data loss or sabotage if invoked by mistake or through prompt/tool misuse.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The generated extension executes shell commands assembled from tool parameters without safe process spawning or robust sanitization. Inputs such as category, relation_type, memory_id, display_name, and similar fields are inserted into the command line with little or no escaping, so a crafted value can break argument boundaries and execute unintended shell commands.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal