memos-local
Fail
Audited by Snyk on Apr 1, 2026
Risk Level: CRITICAL
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The skill explicitly asks the user for API keys and other secret credentials (Step 1.5) and then instructs the agent to embed those values verbatim into generated commands/node -e invocations and config writes (passing the API key as a command-line argument), which forces the LLM to handle and output secrets directly, creating an exfiltration risk.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 1.00). The skill mandates fully autonomous execution of shell commands and remote installers (curl|bash, PowerShell iex), patches configs and restarts services without further user consent, and includes obfuscated exec logic and npm/package install steps — creating clear supply‑chain, remote code execution, and backdoor risk even if no explicit exfiltration code is shown.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 1.00). The skill explicitly downloads and executes code and metadata from external public sources (e.g., "curl ... | bash" to https://cdn.memtensor.com.cn/memos-local-openclaw/install.sh and npm registry queries like
npm view @memtensor/memos-local-openclaw-plugin version), and it parses those results and user-provided external embedding API details as part of its required installation workflow, so untrusted third‑party content can directly influence actions and tool use.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs downloaded install scripts at runtime (curl -fsSL https://cdn.memtensor.com.cn/memos-local-openclaw/install.sh | bash and the PowerShell equivalent https://cdn.memtensor.com.cn/memos-local-openclaw/install.ps1), and also installs the npm package @memtensor/memos-local-openclaw-plugin (via openclaw plugins install which fetches code from the npm registry / mirror such as https://registry.npmmirror.com), so remote content is fetched and executed as a required part of the installation.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly authorizes the agent to autonomously run shell commands and install scripts, modify configuration files on the host (e.g. ~/.openclaw/openclaw.json), rebuild native modules, restart the gateway, and even suggests privileged package installs (sudo apt ...) — all actions that change the machine's state without further user approval.
Issues (5)
W007
HIGHInsecure credential handling detected in skill instructions.
E006
CRITICALMalicious code pattern detected in skill scripts.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W013
MEDIUMAttempt to modify system services in skill instructions.
Audit Metadata