ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

HeyCube AI Memory Butler

一键安装 HeyCube 黑方体个人档案管理服务到 OpenClaw。 创建 GET_CONFIG/UPDATE_DATA 两个 Hook Skill、SQLite 管理工具、修改 TOOLS.md 和 AGENTS.md。 触发场景:"安装黑方体"、"配置 HeyCube"、"heycube setup"、"安...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 36 · 0 current installs · 0 all-time installs
by@MMMMMMTL
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match what the files and instructions do: create GET_CONFIG/UPDATE_DATA hook skills, install a local SQLite helper, and append entries to TOOLS.md and AGENTS.md. The included personal-db.js and package.json are appropriate for local storage management.
Instruction Scope
Runtime instructions ask the installer to copy hook SKILL.md files into ~/.agents/skills, add an AGENTS.md 'hard rule' section that forces pre/post execution for every substantive conversation, and send strictly '脱敏' (de-identified) summaries to the external BASE_URL. The instruction set stays within the declared purpose but grants the skill broad runtime scope (pre/post hooks on every dialogue) and relies on correct de-identification practices which cannot be enforced by the code.
Install Mechanism
No automatic binary download or remote archive; installer asks the user to run npm install in workspace/scripts which will pull better-sqlite3 from the public npm registry (a native module that may require build tools). This is a moderate risk (expected for Node native modules) but there are no opaque URLs or extract-from-unknown-host steps.
Credentials
The skill declares no required env vars. It expects the user to store BASE_URL/API_KEY/DB_PATH in TOOLS.md (i.e., the API key will be in a plaintext workspace file unless the user chooses otherwise). The code reads an optional SOUL_DB_PATH env var (not declared in metadata). Requesting an API key to call the external service is proportionate, but storing secrets in TOOLS.md and having an undeclared env var are worth noting.
!
Persistence & Privilege
The installer explicitly edits AGENTS.md to insert a hard rule that will cause its hooks to run for every 'substantive' conversation and copies hook skills into ~/.agents/skills. This modifies global agent configuration (not just adding a skill that runs when matched) and effectively grants the skill persistent, cross-conversation execution — a meaningful privilege that can increase blast radius if the external service or de-identification fails.
What to consider before installing
What to consider before installing: - This skill will modify AGENTS.md and add hook SKILLs under ~/.agents/skills so that its pre/post hooks run for every substantive conversation. Back up AGENTS.md and TOOLS.md first. - It sends de-identified summaries to an external endpoint (https://heifangti.com). Even with de-identification rules, there's residual risk of sensitive data leakage; only enable if you trust that service. - The API key is expected to be stored in TOOLS.md (plaintext) unless you choose another storage method — treat it like a secret and avoid committing it to repos. - Installation runs npm install (better-sqlite3): this pulls a native module from npm and may require C++ build tools; review dependencies if you require a hardened environment. - The personal-db.js uses an optional SOUL_DB_PATH env var (not declared in registry metadata). If you want DB elsewhere, set this before running. - Prefer manual installation steps: copy and inspect assets/hook-skills/*.md and scripts/personal-db.js, test in an isolated environment, and verify the de-identification outputs before enabling automatic hook execution. If you are uncomfortable with persistent hooks or sending any data to an external server, do not install or remove the AGENTS.md/skill copies after review.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97fdnq2d7z2ken961tbekpvnd832e9q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

HeyCube 黑方体 — 一键安装

将黑方体个人档案服务完整配置到当前 OpenClaw 实例。

概览

安装完成后,每次对话自动执行:

  1. GET_CONFIG(前置)→ 调用 API 获取维度 → 查本地 SQLite → 注入用户画像
  2. UPDATE_DATA(后置)→ 脱敏摘要 → 调用 API 获取更新维度 → 提取数据写入 SQLite

隐私:脱敏摘要发服务端,结构化档案完全存本地 SQLite。

安装步骤

1. 确认环境

node --version

2. 创建 Hook Skill 目录

New-Item -ItemType Directory -Force -Path "$env:USERPROFILE\.agents\skills\heycube-get-config-0.1.0"
New-Item -ItemType Directory -Force -Path "$env:USERPROFILE\.agents\skills\heycube-update-data-0.1.0"
New-Item -ItemType Directory -Force -Path "{workspace}/scripts"

3. 写入 Hook Skill 文件

将本 skill 的 assets/hook-skills/get-config.md 复制到: ~/.agents/skills/heycube-get-config-0.1.0/SKILL.md

将本 skill 的 assets/hook-skills/update-data.md 复制到: ~/.agents/skills/heycube-update-data-0.1.0/SKILL.md

⚠️ 复制前检查目标是否已存在同名文件,若存在且内容非空则提示用户确认覆盖。

4. 写入 SQLite 管理工具

scripts/personal-db.js 复制到 {workspace}/scripts/personal-db.js。 将 scripts/package.json 复制到 {workspace}/scripts/package.json

5. 安装依赖 & 初始化数据库

cd "{workspace}/scripts" && npm install
cd "{workspace}/scripts" && node personal-db.js init

预期输出:{"status":"ok","db":"<path>/personal-db.sqlite"}

6. 修改 TOOLS.md — 添加 HeyCube 配置段

{workspace}/TOOLS.md 末尾追加:

## HeyCube Server
- BASE_URL: https://heifangti.com/api/api/v1/heifangti
- API_KEY: (未配置 — 在此填入黑方体 API Key)
- DB_PATH: {workspace}/personal-db.sqlite
- 说明: 配置 API_KEY 后启用黑方体服务端分析;未配置则静默跳过

⚠️ 如果 TOOLS.md 中已有 HeyCube Server 段,只更新缺失字段,不覆盖用户已填写的 API_KEY。

7. 修改 AGENTS.md — 添加 Hook 执行规则

{workspace}/AGENTS.md## Make It Yours 之前插入:

## 🔮 HeyCube 档案管理 Hook(每次对话必执行)

由 AGENTS.md 硬规则驱动,**不依赖 skill description 匹配**。

### 执行顺序

用户消息 → ① GET_CONFIG → ② 主任务 skill → ③ 回复用户 → ④ UPDATE_DATA


### ① GET_CONFIG(对话处理前)
1. 读取 `~/.agents/skills/heycube-get-config-0.1.0/SKILL.md`
2. 按其中流程执行:对话分类 → 前置检查 → 调用 API → 查询 SQLite → 注入上下文
3. **出错则静默跳过,不阻塞主流程**

### ② 主任务
正常匹配 skill → 处理用户请求 → 回复用户

### ④ UPDATE_DATA(回复完成后)
1. 读取 `~/.agents/skills/heycube-update-data-0.1.0/SKILL.md`
2. 按其中流程执行:脱敏摘要 → 调用 API → 提取数据 → 写入 SQLite
3. **出错则静默跳过**

### 关键规则
- **不阻塞主流程**:任何环节出错都静默跳过
- **严格脱敏**:发送到服务端的内容绝不含真实个人信息
- **开关控制**:文件 `.heycube-off` 存在则跳过全部

⚠️ 如果 AGENTS.md 中已有 HeyCube 相关段,不重复添加。

8. 验证安装

Test-Path "$env:USERPROFILE\.agents\skills\heycube-get-config-0.1.0\SKILL.md"
Test-Path "$env:USERPROFILE\.agents\skills\heycube-update-data-0.1.0\SKILL.md"
Test-Path "{workspace}/scripts/personal-db.js"
Test-Path "{workspace}/scripts/node_modules/better-sqlite3"
cd "{workspace}/scripts"; node personal-db.js get-all

全部通过后输出:

✅ HeyCube 黑方体配置完成
- GET_CONFIG Skill: 已就位
- UPDATE_DATA Skill: 已就位
- SQLite 工具: 已安装并初始化
- TOOLS.md: 已配置(请填写 API_KEY 以启用服务端分析)
- AGENTS.md: 已添加 Hook 规则

⚠️ 下一步:在 TOOLS.md 中填写 HeyCube API_KEY
获取地址:https://heifangti.com
格式:hey_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

故障排除

问题排查
Hook 未触发检查 AGENTS.md 是否包含 HeyCube 执行规则段
API 返回 402黑方体账户黑点不足
SQLite 报错重新执行 cd scripts && node personal-db.js init
better-sqlite3 安装失败需 C++ 编译工具(Windows: Visual Studio Build Tools)
临时关闭 Hook在 workspace 根目录创建 .heycube-off 文件
查看已采集档案cd scripts && node personal-db.js get-all

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…