River Memory

WarnAudited by ClawScan on May 10, 2026.

Overview

River Memory is mostly a local memory/search skill, but its included code exposes a shell-command injection risk and can persist sensitive workspace profile files into long-term memory without clear user controls.

Install only if you are comfortable reviewing and modifying the code. Avoid using the Node implementation until the shell-based curl call is replaced, and do not run import_memories.py unless you want the listed workspace files stored in persistent local memory.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI05: Unexpected Code Execution

What this means

A crafted memory or search query could potentially run local shell commands when the skill asks Ollama for embeddings.

Why it was flagged

The prompt text comes from memory_store content or memory_search queries, then is passed into a shell command. Shell execution with user-controlled text can allow command injection.

Skill content

const proc = spawn('curl', [ ... '-d', JSON.stringify({ model: 'nomic-embed-text', prompt: text }) ], { shell: true });

Recommendation

Do not use the Node tool until this is fixed. Replace shell-based curl with a safe HTTP client such as fetch/axios, or run spawn without shell:true and with strict argument handling.

Medium

#ASI06: Memory and Context Poisoning

What this means

Private profile or identity information can become long-lived agent context and may later be surfaced or used in future interactions.

Why it was flagged

The import script reads local workspace profile, user, and identity files and stores their contents into the persistent vector-memory database.

Skill content

files_to_import = [ ... (f"{WORKSPACE}/SOUL.md", "人格定义"), (f"{WORKSPACE}/USER.md", "用户信息"), (f"{WORKSPACE}/IDENTITY.md", "身份定义") ... ]

Recommendation

Only run the import script after reviewing the listed files. The skill should add explicit consent, path allowlists, exclusions, retention controls, and clear deletion instructions for imported memories.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users may not have enough registry-level information to verify provenance or prepare the local environment safely.

Why it was flagged

The package includes executable code and depends on Ollama/Python/Node behavior, but the registry metadata does not declare a setup path, source, or required binaries.

Skill content

Source: unknown; Homepage: none; No install spec — this is an instruction-only skill; Required binaries: none

Recommendation

Treat the code as the authoritative source, verify it before use, and require the publisher to declare runtime dependencies and provenance.