skills/mindverse/second-me-skills/secondme-openclaw-key-memory/Snyk

secondme-openclaw-key-memory

Fail

Audited by Snyk on Mar 16, 2026

Risk Level: HIGH

Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to read a credentials file and use the raw access token in Authorization headers (e.g., "Authorization: Bearer ") for API requests, which requires the LLM to handle and insert secrets verbatim into generated requests.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 1.00). The skill directly fetches and ingests user-provided Key Memory data from the third-party SecondMe API (e.g., GET https://app.mindos.com/gate/in/rest/third-party-agent/v1/memories/key/search and POST https://app.mindos.com/gate/in/rest/third-party-agent/v1/memories/key), and those returned memories are read/interpreted by the agent and can materially influence its decisions.

Issues (2)

W007

HIGH

Insecure credential handling detected in skill instructions.

W011

MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata

Risk Level

HIGH

Analyzed

Mar 16, 2026, 03:41 AM

Issues

2