agent-memory-ultimate
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill is designed to aggregate and index highly sensitive local data sources.
- Evidence:
- Accesses WhatsApp message stores located at
~/.openclaw/credentials/whatsapp/default/baileys_store_multi.jsoninsync_whatsapp.py. - Imports ChatGPT conversation exports and local markdown logs in
init_db.py. - Parses VCF contact files in
import_vcf.py. - While no external network exfiltration was detected, the consolidation of these disparate sensitive data sources into a single searchable database (
memory.db) increases the impact of potential data exposure. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via the data it indexes.
- Ingestion points: WhatsApp messages (
sync_whatsapp.py), VCF contacts (import_vcf.py), and local markdown files (init_db.py). - Boundary markers: No explicit instruction delimiters or 'ignore embedded instructions' warnings are implemented in the recall logic within
memory_core.py. - Capability inventory: The system has capabilities for file-writing (SQLite), process management (sending signals in
embed_server.py), and Unix socket communication. - Sanitization: Standard FTS5 query sanitization is present in
memory_core.py, but there is no semantic sanitization of the content retrieved from the database before it is provided back to the agent's context. - [COMMAND_EXECUTION]: The skill uses local Unix sockets for its embedding server.
- Evidence:
embed_server.pycreates a socket at/tmp/openclaw-embed.sockand sets permissions to0o666(world-readable/writable). While this facilitates local inter-process communication, it allows any local user to interact with the embedding service.
Audit Metadata