openclaw-test-heap-leaks
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious code, prompt injection attempts, or unauthorized data access patterns were found in the provided files. The skill functions as a legitimate developer diagnostic tool.
- [COMMAND_EXECUTION]: The skill provides instructions to run standard local development commands (
pnpm,node) for test execution and performance profiling. Theheapsnapshot-delta.mjsscript is executed locally to process profile data. - [SAFE]: Indirect Prompt Injection Assessment (Category 8):
- Ingestion points: The
heapsnapshot-delta.mjsscript ingests local.heapsnapshotfiles generated during testing. - Boundary markers: No delimiters are used as the tool performs quantitative analysis on structured heap data rather than interpreting natural language instructions.
- Capability inventory: The script's capabilities are restricted to local file reading and console output. There are no network operations, subprocess executions, or dynamic code evaluation (eval/exec) calls.
- Sanitization: The script employs manual JSON parsing techniques to extract specific numeric and string data from the heap snapshot format.
Audit Metadata