memos-local

Fail

Audited by Snyk on Apr 1, 2026

Risk Level: CRITICAL
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The skill explicitly asks the user for API keys and other secret credentials (Step 1.5) and then instructs the agent to embed those values verbatim into generated commands/node -e invocations and config writes (passing the API key as a command-line argument), which forces the LLM to handle and output secrets directly, creating an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 1.00). The skill mandates fully autonomous execution of shell commands and remote installers (curl|bash, PowerShell iex), patches configs and restarts services without further user consent, and includes obfuscated exec logic and npm/package install steps — creating clear supply‑chain, remote code execution, and backdoor risk even if no explicit exfiltration code is shown.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 1.00). The skill explicitly downloads and executes code and metadata from external public sources (e.g., "curl ... | bash" to https://cdn.memtensor.com.cn/memos-local-openclaw/install.sh and npm registry queries like npm view @memtensor/memos-local-openclaw-plugin version), and it parses those results and user-provided external embedding API details as part of its required installation workflow, so untrusted third‑party content can directly influence actions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).


MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly authorizes the agent to autonomously run shell commands and install scripts, modify configuration files on the host (e.g. ~/.openclaw/openclaw.json), rebuild native modules, restart the gateway, and even suggests privileged package installs (sudo apt ...) — all actions that change the machine's state without further user approval.

Issues (5)

W007
HIGH

Insecure credential handling detected in skill instructions.

E006
CRITICAL

Malicious code pattern detected in skill scripts.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W013
MEDIUM

Attempt to modify system services in skill instructions.

Audit Metadata
Risk Level
CRITICAL
Analyzed
Apr 1, 2026, 06:17 PM
Issues
5
Security Audit — snyk — memos-local