Skill From Memory
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: skill-from-memory Version: 0.1.2 The skill is classified as suspicious due to multiple critical shell injection vulnerabilities and a mechanism for propagating unvalidated executable code. Specifically, `scripts/create-skill.sh` uses user-controlled variables like `$DESCRIPTION` and `$SKILL_NAME` directly within heredocs (e.g., for `SKILL.md` and `README.md`), allowing for arbitrary command execution if these variables contain crafted input (e.g., `EOF` followed by shell commands). Additionally, `scripts/extract-from-history.sh` and `scripts/extract-from-memory.sh` extract raw code blocks from conversation history or memory files, which are then copied and made executable by `scripts/create-skill.sh` into the new skill's `scripts/extracted-code.sh` without sanitization, posing a significant supply chain risk for malicious code propagation. Other scripts like `scripts/create-and-publish.sh`, `scripts/extract-from-history.sh`, and `scripts/publish.sh` also exhibit shell injection risks through unquoted variables (`$SKILL_NAME`, `$PATTERN`, `$GITHUB_REPO`) when used in command arguments or path constructions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private details from selected session or memory files could be included in extracted output or influence the generated skill.
The script extracts user and assistant conversation content into local files for reuse. This matches the skill purpose, but conversation history can contain private or sensitive data.
select(.message.role == "user" or .message.role == "assistant") ... > "$OUTPUT_DIR/conversation.txt"
Use narrow source files, inspect extracted output and generated SKILL.md/scripts, and remove secrets or personal information before publishing.
If the generated skill contains mistakes or sensitive content, it may be published externally.
The publish script can push all generated skill files to GitHub and publish to ClawHub. This is expected for the skill, but it is a high-impact action under the user's accounts.
git add -A ... git push origin main ... clawhub publish "$SKILL_PATH" --slug "$CLAWHUB_SLUG"
Run the publish step only after reviewing the generated files; use --skip-github or --skip-clawhub when you want local-only creation.
Publishing or git operations will affect repositories and registry entries accessible to the logged-in user.
The workflow uses the user's GitHub SSH access and ClawHub login. This is disclosed and purpose-aligned for publishing, but it means actions occur with the user's account privileges.
Setup SSH key for GitHub ... Add ~/.ssh/id_ed25519.pub to GitHub Settings → SSH Keys ... Login to ClawHub clawhub login
Use least-privilege credentials, confirm the target repository and ClawHub account, and consider a dedicated repo for generated skills.
Unreviewed code from prior notes or conversations could become part of a generated skill.
Code blocks extracted from memory can be copied into an executable script. The script is not run automatically, but later execution or publication should be reviewed.
cp "$EXTRACTED_DIR/code_blocks.txt" "$SKILL_DIR/scripts/extracted-code.sh" chmod +x "$SKILL_DIR/scripts/extracted-code.sh"
Inspect extracted-code.sh before running, committing, or publishing it.
A mistake in the selected history/memory source can quickly become a generated and published skill.
The all-in-one script chains extraction, skill generation, and publishing. This is the advertised workflow, but a bad source file or mistaken target can propagate into a published artifact.
"$SCRIPT_DIR/extract-from-history.sh" "$SOURCE" "$EXTRACT_DIR" ... "$SCRIPT_DIR/create-skill.sh" ... "$SCRIPT_DIR/publish.sh" "$SKILL_DIR"
Prefer the step-by-step workflow for sensitive sources, and review the intermediate generated skill before running the publish stage.