Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Smart Memory
v3.1.0Persistent local transcript-first memory for OpenClaw via a Node adapter and FastAPI engine.
⭐ 3· 5.1k·58 current·60 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's description (local Node adapter + FastAPI engine) matches the included code (Node adapter, FastAPI server, SQLite stores). However the registry claims 'no required binaries / env vars' while the code and install.sh clearly require Node.js 18+, Python 3.11+, CPU PyTorch and write to the user's workspace (~/.openclaw/workspace). Declared metadata omits these concrete runtime requirements and filesystem targets, which is an incoherence a user should not ignore.
Instruction Scope
SKILL.md and integration docs limit actions to local transcript ingest/retrieve, rebuild, lane management and background cycles; the code reads/writes local files (hot_memory.json, data/memory_store/v3_memory.sqlite), exposes a local HTTP API on 127.0.0.1:8000, and auto-updates 'hot memory' from conversation content. That scope is consistent with the stated purpose, but the package includes a prompt-injection related file and static scan flagged a 'system-prompt-override' pattern in SKILL.md — investigate prompt-injection middleware to confirm it defends rather than abuses model prompts.
Install Mechanism
Registry lists no install spec, yet the repository contains an install.sh that clones a GitHub repo (or downloads a tarball) and runs npm install (postinstall may run Python venv/requirements). The installer header suggests piping remote script to bash; postinstall.js/npm scripts can execute arbitrary code. While the GitHub URL is explicit (BluePointDigital/smart-memory), running the installer without auditing postinstall.js and other scripts is risky.
Credentials
No external API keys or cloud credentials are requested — appropriate for a local-only memory backend. But the code requires filesystem access (home/.openclaw/workspace and data/), a local server port (8000), and native runtimes (node, python, PyTorch). Those runtime requirements are not declared in the registry metadata, producing a proportionality mismatch between what the skill asks for and what it actually needs.
Persistence & Privilege
The skill will persist data locally (SQLite DB under workspace/data/memory_store, hot_memory.json) and installs a local HTTP service (FastAPI) — normal for this kind of backend. The skill is not marked always:true and doesn't claim to change other skills' config. Still, installation will create persistent files and run services on localhost, so run it in a controlled environment if you don't want persistent local state.
Scan Findings in Context
[system-prompt-override] unexpected: Pre-scan flagged prompt-injection patterns in SKILL.md (and the package includes a prompt-injection.js file). A memory system should include prompt-safety middleware, but this detection warrants manual review to ensure code defends against injection rather than instructing model/system prompt overrides or hidden behaviors.
What to consider before installing
What to consider before installing:
- Source verification: The installer points at https://github.com/BluePointDigital/smart-memory — confirm you trust that repository and owner. The registry metadata gives no homepage and says 'instruction-only', which is inconsistent with the many code files here.
- Do not pipe unknown curl|bash: install.sh suggests a curl | bash pattern; avoid blindly running it. Instead, clone the repo and inspect package.json, postinstall.js, and any npm postinstall hooks or shell scripts before execution.
- Audit postinstall and node scripts: npm postinstall and postinstall.js can execute arbitrary code (including spawning Python venv installs). Inspect those scripts and postinstall behavior before running them.
- Review prompt-injection code: the package contains prompt-injection related files and the static scan flagged a 'system-prompt-override' pattern. Manually review skills/smart-memory-openclaw/prompt-injection.js (and any middleware) to ensure it implements protections and does not attempt to modify system prompts or exfiltrate data.
- Sandbox and least-privilege: because the package writes to your home workspace and runs a local server, prefer running it in a sandbox or container (isolated user account, Docker, or VM). This prevents accidental data leakage and limits filesystem/network exposure.
- Check data locations and backups: confirm where the SQLite DB and hot_memory.json will live (the code uses ~/.openclaw/workspace/data/ and data/memory_store/v3_memory.sqlite). If you install, back up any existing workspace data you care about.
- If you need a minimal test: clone the repo locally, inspect code, then run the server in an isolated environment and exercise GET /health and GET /insights/pending before integrating it with an agent. Avoid giving it network access beyond localhost unless you explicitly want it.
If you want, I can list the specific files to inspect (postinstall.js, package.json, skills/smart-memory-openclaw/prompt-injection.js, smart-memory/postinstall.js) and summarize any suspicious code I find.examples/session-start/nodejs-agent.js:49
Shell command execution detected (child_process).
smart-memory/index.js:158
Shell command execution detected (child_process).
smart-memory/postinstall.js:14
Shell command execution detected (child_process).
smart-memory/index.js:11
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97d2m3bt3d86ap33z244w0qqx83h085
License
MIT-0
Free to use, modify, and redistribute. No attribution required.