Skills
skills/anajuliabit/memoclaw-skill/memoclaw/Gen Agent Trust Hub

memoclaw

Fail

Audited by Gen Agent Trust Hub on Mar 26, 2026

Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructions (SKILL.md) prompt the agent to perform persistence-related modifications to the user's shell configuration files. Specifically, it suggests running memoclaw completions bash >> ~/.bashrc and memoclaw completions zsh >> ~/.zshrc, which appends external executable code to the shell profile, allowing it to execute in future sessions.
  • [REMOTE_CODE_EXECUTION]: The CLI tool documentation (SKILL.md) describes a memoclaw upgrade command that automatically checks for, downloads, and installs updates from remote servers. This mechanism allows for the execution of unverified remote code on the host system.
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of a global NPM package memoclaw and references a specific GitHub repository (anajuliabit/memoclaw-cli) for troubleshooting. These sources are not recognized as trusted technology providers, increasing the risk of supply chain compromise.
  • [CREDENTIALS_UNSAFE]: The skill requires the use of the MEMOCLAW_PRIVATE_KEY environment variable to authenticate the user's crypto wallet for payments. Handling high-entropy private keys in environment variables or configuration files (~/.memoclaw/config.json) presents a significant risk if the agent's environment or the third-party CLI tool is compromised.
  • [PROMPT_INJECTION]: The skill creates a surface for Indirect Prompt Injection by design. It provides tools to ingest untrusted data from various sources (files via migrate, raw text via ingest) and subsequently retrieves this content into the agent's system context (via recall or context).
  • Ingestion points: memoclaw store, memoclaw ingest, and memoclaw migrate (documented in SKILL.md).
  • Boundary markers: Absent. Memories are retrieved and interpolated into the prompt without delimiters or instructions to ignore embedded commands.
  • Capability inventory: The agent has access to exec to run shell commands via the CLI, which can be triggered by instructions found in recalled memory.
  • Sanitization: Absent. The skill stores and recalls raw text without escaping or validation.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 26, 2026, 02:35 PM