Skillv1.4.0

ClawScan security

AgentsMem · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 11:23 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (backing up agent memory) is plausible, but the runtime instructions tell the agent to download and execute code from agentsmem.com and to handle sensitive owner credentials in inconsistent ways, which is disproportionate and risky without further vetting.
Guidance: Before installing: treat this as potentially risky. The SKILL.md tells you to download and execute scripts fetched at install time from agentsmem.com (no checksums or signatures) — that can run arbitrary code on your agent. It also contains contradictory guidance about asking owners for passwords and even instructs asking for an owner's existing account password/.vault in some flows, which is highly sensitive. If you want to proceed, ask the skill author for: (1) a public, verifiable source repository (GitHub) and release checksums for agentsmem_tool.py/js; (2) a reproducible way to audit the tool code before execution; (3) clarification why owner passwords or previous '.vault' keys are required and whether there is an alternative (OAuth, web-based confirmation) that doesn't transmit passwords; (4) signed releases or checksums you can verify locally; and (5) a description of exactly which local files/paths the tool will read and upload. Operational mitigations: run the tools in an isolated sandbox/container, review the downloaded scripts manually before running, restrict network access so the tool can only contact agentsmem.com, and avoid supplying owner passwords unless you verify the service's requirements and trust the code. Because this is an instruction-only skill with no code bundled, the provided registry scan had nothing to analyze — that absence is not a safety guarantee.

Review Dimensions

Purpose & Capability: noteThe skill claims to encrypt and upload agent memory to agentsmem.com, which legitimately requires tooling to encrypt files and an API key to upload. Asking the agent to store an api_key/credentials.json for the backup service is coherent with the stated purpose.
Instruction Scope: concernThe SKILL.md instructs the agent to fetch multiple files (tools, docs) from https://agentsmem.com and to run local encrypt/decrypt tools. It also instructs generation and storage of credentials.json and to show generated passwords to the owner. There is an inconsistent instruction set about passwords: earlier it says 'Do not ask the owner for a password' (generate one yourself), but in some error flows it tells the agent to ask the owner for their existing account password and their previous agent's file encryption key — this contradiction expands the scope to requesting highly sensitive owner secrets. The doc grants the agent broad discretion to download and execute remote scripts and to read/write skill-dir files; that scope is larger than a minimal backup helper and should be audited.
Install Mechanism: concernThere is no formal install spec, but the SKILL.md explicitly directs the agent (or user) to curl scripts and docs from agentsmem.com into the skill directory and chmod +x them. Downloading and executing code directly from a single domain with no checksums, signatures, or third-party release provenance is a high-risk install mechanism (remote arbitrary code execution risk).
Credentials: noteThe skill does not declare environment variables, which matches the registry metadata, and the main secret is the service API key stored locally. However, the instructions include scenarios that ask the agent to request the owner's existing account password and a previous agent's '.vault' key to link accounts — these are highly sensitive and not clearly justified by the stated purpose. Requiring the owner's email is reasonable for web login, but soliciting the owner's account password is disproportionate unless documented server-side requirements make it unavoidable.
Persistence & Privilege: okThe skill does not request always: true and does not declare system-wide config paths or explicit modifications to other skills. It instructs storing credentials in its own skill directory, which is normal for a service integration.