memory-router
Fail
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill is configured to retrieve and process data from
~/.openclaw/agents/and~/.openclaw/, which the documentation explicitly states contain authentication tokens ("auth") and system configuration data.\n- [DATA_EXFILTRATION]: Extensive file system access is granted across multiple sensitive directories (~/clawd/,~/.openclaw/), allowing the agent to collect and potentially expose project PRDs, deliverables, and system-level configuration files.\n- [COMMAND_EXECUTION]: The skill employs shell commands and provides a wrapper script (memory_router.sh) that interpolates user-controlled input into commands without sufficient sanitization, enabling argument injection. It also provides specific instructions for setting up persistence through daily and weekly cron jobs.\n- [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by pulling untrusted content from various local project files and work logs into the agent's context without boundary markers or sanitization.\n - Ingestion points: Multiple directories under
~/clawd/including projects and daily memory logs.\n - Boundary markers: None are defined to separate retrieved content from agent instructions.\n
- Capability inventory: Subprocess execution for
qmdandgreptools.\n - Sanitization: None.
Recommendations
- AI detected serious security threats
Audit Metadata