! Security: Review · 5858/100 · grade Dscanned 25m ago
⚠ 1 compromise signal27 risk-surface · 10/20 OWASP controls flagged
Only compromise signals — malicious or tampered code (leaked secrets, backdoors, a dropped executable) — reduce the score. Dangerous-by-capability traits are risk surface, expected for some capabilities. Every finding is mapped to the OWASP control it belongs to below.
What this capability can do · high confidence (static)
Tools (26)
Infographicsbm-setuprememberrecallbuild_contextdelete_noteedit_notelist_memory_projectslist_workspacesmemory_searchmemory_getmove_noteread_noteschema_diffschema_inferschema_validatesearch_noteswrite_noteCheckpointDecideOrientRememberSetupShare
⚑ filesystem⚑ shell⚑ network⚑ secretsinstall: postinstallinstall: script:basicmachines-co-basic-memory-39fe75f/integrations/openclaw/scripts/setup-bm.sh
egress → logfire-api.pydantic.dev, logfire.pydantic.dev, pypi.org, registry.modelcontextprotocol.io, json.schemastore.org, docs.github.com, docs.claude.com, registry.npmjs.org +32
Findings mapped to the OWASP Top 10 for LLM Applications (2025) and the OWASP Machine Learning Security Top 10. Expand any flagged control for the exact findings — compromise reduces the score; expected/risk-surface do not.
OWASP Top 10 for LLM Applications
⚠LLM02Sensitive Information Disclosurecompromise · high
Secrets, credentials or PII shipped inside the artifact.
•Embedded credentials — found: DB connection string with credentials · basicmachines-co-basic-memory-39fe75f/.env.example (CWE-798)compromise
•Embedded credentials — found: credentials in URL · basicmachines-co-basic-memory-39fe75f/.github/workflows/release.yml (CWE-798)expected
•Embedded credentials — found: hardcoded credential · basicmachines-co-basic-memory-39fe75f/tests/cli/cloud/test_cloud_api_client_and_utils.py (CWE-798)expected
⚠LLM07System Prompt Leakagecompromise · high
Secrets, internal hosts or proprietary logic exposed in shipped prompts.
•Embedded credentials — found: DB connection string with credentials · basicmachines-co-basic-memory-39fe75f/.env.example (CWE-798)compromise
•Embedded credentials — found: credentials in URL · basicmachines-co-basic-memory-39fe75f/.github/workflows/release.yml (CWE-798)expected
•Embedded credentials — found: hardcoded credential · basicmachines-co-basic-memory-39fe75f/tests/cli/cloud/test_cloud_api_client_and_utils.py (CWE-798)expected
•Internal host / private infrastructure reference — shipped content references a private IP range or internal-only host · basicmachines-co-basic-memory-39fe75f/tests/utils/test_validate_project_path.py (CWE-200)risk surface
⚠LLM01Prompt Injectionhigh
Adversarial instructions embedded in an artifact that hijack a downstream LLM.
•Prompt-injection phrasing — instruction-subversion language detected · basicmachines-co-basic-memory-39fe75f/tests/repository/test_search_repository.py (CWE-77)expected
⚠LLM03Supply Chainhigh
Vulnerable/compromised dependencies, models or archives in the artifact.
•Dependency manifest — 6 npm dependencies declared · basicmachines-co-basic-memory-39fe75f/integrations/openclaw/package.jsonrisk surface
•npm install-lifecycle script — postinstall run on install — executes arbitrary code · basicmachines-co-basic-memory-39fe75f/integrations/openclaw/package.json (CWE-506)risk surface
•Vulnerable dependencies — 63 known vulnerabilities in: pygments@2.9.0, @earendil-works/pi-coding-agent@0.75.5, hono@4.12.23, markdown-it@14.1.1, openclaw@2026.5.26, protobufjs@7.6.1, tar@7.5.13, tar@7.5.15 (CWE-1395)risk surface
⚠LLM05Improper Output Handlinghigh
Code that pipes model/user output into shell, eval, SQL or paths unsafely.
•Path traversal sequences — '../' present in content or name · basicmachines-co-basic-memory-39fe75f/.claude/skills/adversarial-review (CWE-22)expected
•Suspicious code patterns — OS command execution · basicmachines-co-basic-memory-39fe75f/benchmarks/src/basic_memory_benchmarks/llm/runners.py (CWE-78)expected
•Suspicious code patterns — destructive rm -rf /; pipe-to-shell install · basicmachines-co-basic-memory-39fe75f/integrations/openclaw/README.md (CWE-78)expected
•Suspicious code patterns — child_process exec · basicmachines-co-basic-memory-39fe75f/integrations/openclaw/SECURITY.md (CWE-78)expected
•Suspicious code patterns — pipe-to-shell install; child_process exec · basicmachines-co-basic-memory-39fe75f/integrations/openclaw/index.ts (CWE-494)expected
•Suspicious code patterns — pipe-to-shell install · basicmachines-co-basic-memory-39fe75f/integrations/openclaw/scripts/setup-bm.sh (CWE-494)expected
•Suspicious code patterns — dynamic code execution · basicmachines-co-basic-memory-39fe75f/src/basic_memory/mcp/ui/html/note-preview-tool-ui.html (CWE-95)expected
•Suspicious code patterns — dynamic os import · basicmachines-co-basic-memory-39fe75f/test-int/test_db_wal_mode.pyexpected
•Suspicious code patterns — OS command execution; dynamic code execution · basicmachines-co-basic-memory-39fe75f/tests/test_codex_plugin_package.py (CWE-78)expected
⚠LLM06Excessive Agencymedium
Over-broad tool/permission surface or unrestricted egress.
•External endpoints declared — 1 distinct host(s) · basicmachines-co-basic-memory-39fe75f/.agents/skills/adversarial-review/schemas/findings.schema.jsonexpected
•External endpoints declared — 2 distinct host(s) · basicmachines-co-basic-memory-39fe75f/.agents/skills/instrumentation/SKILL.mdexpected
•External endpoints declared — 3 distinct host(s) · basicmachines-co-basic-memory-39fe75f/.claude/commands/release/release.mdexpected
•Broad capability surface — 4 high-impact capability categories referenced — verify least-privilege · basicmachines-co-basic-memory-39fe75f/CHANGELOG.md (CWE-272)risk surface
•External endpoints declared — 15 distinct host(s) · basicmachines-co-basic-memory-39fe75f/README.mdexpected
•Broad capability surface — 3 high-impact capability categories referenced — verify least-privilege · basicmachines-co-basic-memory-39fe75f/benchmarks/src/basic_memory_benchmarks/llm/runners.py (CWE-272)risk surface
•External endpoints declared — 4 distinct host(s) · basicmachines-co-basic-memory-39fe75f/docs/cloud-cli.mdexpected
•External endpoints declared — 6 distinct host(s) · basicmachines-co-basic-memory-39fe75f/integrations/openclaw/.gitignoreexpected
•External endpoints declared — 5 distinct host(s) · basicmachines-co-basic-memory-39fe75f/integrations/openclaw/README.mdexpected
•Broad capability surface — 5 high-impact capability categories referenced — verify least-privilege · basicmachines-co-basic-memory-39fe75f/src/basic_memory/mcp/ui/html/search-results-tool-ui.html (CWE-272)risk surface
⚠LLM10Unbounded Consumptionmedium
Unbounded loops/recursion causing DoS or runaway cost.
Enforced at runtime by the gateway (rate limits + spend caps + size caps); static check flags unbounded loops.
•Potentially unbounded loop — an infinite loop (while True / while(1) / for(;;)) may cause runaway consumption · basicmachines-co-basic-memory-39fe75f/benchmarks/scripts/write_load_bench.py (CWE-835)risk surface
§LLM09MisinformationGovernance
Artifacts designed to produce false/deceptive output.
Detectable only by runtime behavioral evaluation; addressed via responsible-use attestation.
✓LLM04Data and Model PoisoningPassed
Backdoors/poisoning in training data or serialized models.
Behavioral poisoning needs model execution; static check covers unsafe serialization + dataset skew only.
✓LLM08Vector and Embedding WeaknessesPassed
PII or plaintext source leakage in embedding/vector exports.
Embedding inversion/poisoning is largely runtime; static check covers PII in vector exports.
OWASP Machine Learning Security Top 10
⚠ML02Data Poisoninghigh
Poisoned training datasets with triggers or anomalous distributions.
Static check covers trigger phrasing, PII and label skew; full poisoning detection is runtime.
•Prompt-injection phrasing — instruction-subversion language detected · basicmachines-co-basic-memory-39fe75f/tests/repository/test_search_repository.py (CWE-77)expected
⚠ML06AI Supply Chainhigh
Compromised PyPI/npm packages, typosquats, unsafe serialized models.
•Dependency manifest — 6 npm dependencies declared · basicmachines-co-basic-memory-39fe75f/integrations/openclaw/package.jsonrisk surface
•npm install-lifecycle script — postinstall run on install — executes arbitrary code · basicmachines-co-basic-memory-39fe75f/integrations/openclaw/package.json (CWE-506)risk surface
•Vulnerable dependencies — 63 known vulnerabilities in: pygments@2.9.0, @earendil-works/pi-coding-agent@0.75.5, hono@4.12.23, markdown-it@14.1.1, openclaw@2026.5.26, protobufjs@7.6.1, tar@7.5.13, tar@7.5.15 (CWE-1395)risk surface
⚠ML09Output Integrityhigh
Middleware tampering with model outputs in transit.
Gateway enforces TLS + response integrity; static check flags output-rewriting code.
•Path traversal sequences — '../' present in content or name · basicmachines-co-basic-memory-39fe75f/.claude/skills/adversarial-review (CWE-22)expected
•Suspicious code patterns — OS command execution · basicmachines-co-basic-memory-39fe75f/benchmarks/src/basic_memory_benchmarks/llm/runners.py (CWE-78)expected
•Suspicious code patterns — destructive rm -rf /; pipe-to-shell install · basicmachines-co-basic-memory-39fe75f/integrations/openclaw/README.md (CWE-78)expected
•Suspicious code patterns — child_process exec · basicmachines-co-basic-memory-39fe75f/integrations/openclaw/SECURITY.md (CWE-78)expected
•Suspicious code patterns — pipe-to-shell install; child_process exec · basicmachines-co-basic-memory-39fe75f/integrations/openclaw/index.ts (CWE-494)expected
•Suspicious code patterns — pipe-to-shell install · basicmachines-co-basic-memory-39fe75f/integrations/openclaw/scripts/setup-bm.sh (CWE-494)expected
•Suspicious code patterns — dynamic code execution · basicmachines-co-basic-memory-39fe75f/src/basic_memory/mcp/ui/html/note-preview-tool-ui.html (CWE-95)expected
•Suspicious code patterns — dynamic os import · basicmachines-co-basic-memory-39fe75f/test-int/test_db_wal_mode.pyexpected
•Suspicious code patterns — OS command execution; dynamic code execution · basicmachines-co-basic-memory-39fe75f/tests/test_codex_plugin_package.py (CWE-78)expected
§ML01Input Manipulation (Adversarial)Governance
Models vulnerable to adversarial perturbations.
Requires runtime robustness evaluation; addressed via publisher robustness attestation.
§ML03Model InversionGovernance
Training data reconstructable from a model's outputs.
Runtime/evaluation property; addressed via model-card data-provenance + DP attestation.
§ML04Membership InferenceGovernance
Determining whether a record was in the training set.
Runtime/evaluation property; addressed via overfitting disclosure + DP attestation.
§ML08Model SkewingGovernance
Models trained on skewed data producing biased output.
Requires fairness evaluation; addressed via model-card bias/limitations disclosure.
✓ML05Model TheftPassed
Unlicensed re-distribution / license-incompatible derivatives.
Static check verifies license declaration; extraction throttling is runtime.
✓ML07Transfer Learning AttackPassed
Backdoored base models / LoRA adapters propagating to derivatives.
Backdoor detection needs behavioral probing; static check covers unsafe serialization + provenance.
✓ML10Model Poisoning (Weights)Passed
Tampered model weight files; integrity must be verifiable.
Static check enforces safe formats + records a content hash for downstream verification.
Other findings (11) · hygiene / uncategorized
•Unrecognized file type — '.?' is not on the allowlist · basicmachines-co-basic-memory-39fe75f/.claude/skills/adversarial-reviewrisk surface
•Unrecognized file type — '.dockerignore' is not on the allowlist · basicmachines-co-basic-memory-39fe75f/.dockerignorerisk surface
•Unrecognized file type — '.gitignore' is not on the allowlist · basicmachines-co-basic-memory-39fe75f/.gitignorerisk surface
•Unrecognized file type — '.python-version' is not on the allowlist · basicmachines-co-basic-memory-39fe75f/.python-versionrisk surface
•Unrecognized file type — '.cff' is not on the allowlist · basicmachines-co-basic-memory-39fe75f/CITATION.cffrisk surface
•Unrecognized file type — '.coveragerc' is not on the allowlist · basicmachines-co-basic-memory-39fe75f/integrations/hermes/.coveragercrisk surface
•Unrecognized file type — '.ini' is not on the allowlist · basicmachines-co-basic-memory-39fe75f/integrations/hermes/pytest.inirisk surface
•Unrecognized file type — '.mako' is not on the allowlist · basicmachines-co-basic-memory-39fe75f/src/basic_memory/alembic/script.py.makorisk surface
•Unrecognized file type — '.1' is not on the allowlist · basicmachines-co-basic-memory-39fe75f/src/basic_memory/man/basic-memory.1risk surface
•Possible obfuscation — very long lines · basicmachines-co-basic-memory-39fe75f/src/basic_memory/mcp/ui/html/note-preview-tool-ui.htmlrisk surface
•Unrecognized file type — '.hbs' is not on the allowlist · basicmachines-co-basic-memory-39fe75f/src/basic_memory/templates/prompts/continue_conversation.hbsrisk surface
✔ verified source · pinned basicmachines-co-basic-memory-39fe75f · changed since last scan · +egress logfire-api.pydantic.dev, logfire.pydantic.dev, registry.modelcontextprotocol.io, json.schemastore.org, docs.github.com, docs.claude.com, registry.npmjs.org, testcontainers-python.readthedocs.io, claude.ai, just.systems, img.shields.io, www.gnu.org, badge.fury.io, www.python.org, badge.mcpx.dev?type=server, badge.mcpx.dev?type=dev, deepwiki.com, basicmemory.com?utm_source=github&utm_medium=referral&utm_campaign=readme&utm_content=banner, modelcontextprotocol.io, basicmemory.com?utm_source=github&utm_medium=referral&utm_campaign=readme&utm_content=quickstart, basicmemory.com?utm_source=github&utm_medium=referral&utm_campaign=readme, basicmemory.com?utm_source=github&utm_medium=referral&utm_campaign=readme&utm_content=cloud-section, umami.is, www.star-history.com, api.star-history.com, basicmachines.co?utm_source=github&utm_medium=referral&utm_campaign=readme, memory.basicmachines.co, api.example.com, integrate.api.nvidia.com, docs.litellm.ai, example.openai.azure.com, genkit.dev, glama.ai