Back to skill
Skillv1.0.0
VirusTotal security
River Memory · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:26 AM
- Hash
- 37583730fccfac538ef3fd77afa6cda959eaba78242929e2756286c4b264ba59
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: river-memory Version: 1.0.0 The skill implements a local vector memory system using Ollama, but contains a significant security vulnerability in index.js where 'spawn' is used with 'shell: true' to execute curl commands, creating a potential path for command injection. Additionally, the bundle includes a script (import_memories.py) that automatically reads and indexes sensitive workspace files such as USER.md, IDENTITY.md, and SOUL.md; while this aligns with the stated purpose of a 'memory' system, the broad file access and the shell execution flaw warrant a suspicious classification.
- External report
- View on VirusTotal