agent-memory-system
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes multiple shell scripts (
memory-gc.sh,nightly-reflection.sh,extract-skill.sh) to automate local file system management. These scripts perform actions such as creating directories, moving files to archive folders, and generating new skill packages using 'cat' and 'sed'. These operations are restricted to the local workspace and align with the skill's primary functionality. - [COMMAND_EXECUTION]: The installation scripts (
install.sh) modify the user's crontab to schedule recurring maintenance tasks. This persistence mechanism is a core feature of the skill's temperature-based memory model and is clearly documented for the user. - [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection as it processes data that may be influenced by untrusted external sources (e.g., summaries of web content saved as lessons).
- Ingestion points: Scripts read from agent-generated daily logs and lesson files located in
~/.openclaw/workspace/memory/. - Boundary markers: No delimiters or "ignore embedded instructions" warnings are used when scripts process or interpolate the content of these files.
- Capability inventory: The scripts possess the capability to create new skill directories and write executable metadata (
SKILL.md) to the local filesystem. - Sanitization: There is no validation or sanitization of the content within the lesson files before it is used to populate metadata or update file statuses via stream editing.
Audit Metadata