openclaw-test-heap-leaks

Pass

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: No security issues detected. The skill focuses on memory profiling and diagnostic tasks, using standard shell commands (pnpm test) and a local utility script to analyze heap snapshots as part of its documented functionality.
  • [INDIRECT_PROMPT_INJECTION]: The skill ingests data from external .heapsnapshot files through its processing script. Although this constitutes an attack surface, the risk is negligible as the script strictly parses JSON structures, performs numeric calculations, and truncates string identifiers before outputting a summary to the agent.
  • Ingestion points: .heapsnapshot files read via fs.createReadStream in scripts/heapsnapshot-delta.mjs.
  • Boundary markers: N/A (local processing script).
  • Capability inventory: Local file reads; no network or subprocess execution within the analysis script.
  • Sanitization: Object names are truncated to 96 characters, limiting the potential for long injection payloads to reach the agent context.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 23, 2026, 06:06 AM
Security Audit — agent-trust-hub — openclaw-test-heap-leaks