Skillv1.0.0

ClawScan security

MemPalace记忆系统助手 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 3:36 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description matches a memory assistant, but the runtime instructions assume a Windows 'py' launcher and a Python module (mempalace) while declaring no required binaries or install steps and referencing a local file — these inconsistencies merit caution before installing.
Guidance: Before installing or enabling this skill: 1) Ask the author which Python package provides the 'mempalace' module and verify its source and trustworthiness; 2) Confirm which runtime (Windows 'py' or other Python) is required — the SKILL.md examples assume 'py -3.13'; 3) Ask where the memory data is stored (local path, database, cloud) and whether data is ever sent to external services; 4) If you must run it, install and test the mempalace module in a sandbox or isolated environment first; 5) If you need the skill to be self-contained, request an install spec or packaged release from the author. These steps will reduce surprises caused by the metadata/instruction mismatches.

Review Dimensions

Purpose & Capability: noteName and description (structured memory, search, persistence) align with the instructions' commands (search/add/list/export). However the SKILL.md's runtime examples invoke 'py -3.13 -m mempalace' which implies a Python module and the Windows 'py' launcher; the skill metadata lists no required binaries or install steps, so there is a mismatch between required runtime components and declared requirements.
Instruction Scope: noteInstructions are focused on memory operations and do not explicitly instruct reading unrelated system files or environment variables. One provenance line cites a local path (D:\coze-local\simple-agent\skills_learned\mempalace.md) — this suggests the skill was derived from a local file and may depend on local artifacts, but the SKILL.md does not instruct the agent to read that path. The instructions leave unspecified where the mempalace module stores data or whether it sends data externally.
Install Mechanism: noteThere is no install spec (instruction-only), which is low-risk in general, but inconsistent with the examples that require a Python module 'mempalace' and a specific Python launcher. The skill provides no guidance on how to obtain/install that module, so an operator would need to install external code out-of-band.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. Nothing in SKILL.md asks for secrets or unrelated credentials.
Persistence & Privilege: okalways is false and there are no install hooks or claims of modifying other skills or system-wide settings. Autonomous invocation is allowed (default) but not combined with other high-risk factors.