Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Aister vector-memory
v1.0.4Provides semantic vector search over Aister's memory using PostgreSQL and e5-large-v2 embeddings to find related content by meaning in Russian and English.
⭐ 0· 868·1 current·1 all-time
by@alekhm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The files and SKILL.md consistently describe a local vector memory using PostgreSQL + pgvector and a local embedding service (intfloat/e5-large-v2). Requiring a DB password and a local embedding service is appropriate for this purpose. However the registry metadata claims no required environment variables while SKILL.md and the scripts require VECTOR_MEMORY_DB_PASSWORD — that's an inconsistency in the package metadata (likely an omission) and should be corrected/clarified before install.
Instruction Scope
Runtime instructions and scripts only read expected memory files (MEMORY.md, IDENTITY.md, USER.md), call the local embedding service, and operate on the specified database tables. The docs explicitly warn about not putting secrets in memory files. Two items to note: (1) first run downloads a ~1.3GB model from HuggingFace (network access required); (2) INSTALL.md proposes optional autostart by appending a nohup/start snippet to the user's shell profile (~/.bashrc) which modifies a user config file — that is persistence beyond a single run and the user should review/approve that change.
Install Mechanism
This is an instruction-only skill (no install spec) with included Python scripts. The only external download is the embedding model from HuggingFace (expected for embedding workflows). No downloads from obscure or shortener URLs or arbitrary remote code execution are present in the skill itself. The usual supply-chain note applies: large model weights are fetched from an external provider and should be considered a supply-chain risk if that source is untrusted.
Credentials
The only secret the skill requires at runtime is the PostgreSQL password (VECTOR_MEMORY_DB_PASSWORD), which is proportional to its purpose. The docs also note the need for PostgreSQL superuser/root during installation to create extensions — that is typical for installing pgvector. The earlier metadata omission of required env vars is the main mismatch to fix.
Persistence & Privilege
The skill does not request always:true and does not declare elevated platform privileges. It does recommend (optionally) adding an autostart snippet to the user's shell profile and running a background Flask service; those are common for a long-running local service but are changes to user dotfiles. The docs recommend Docker for isolation, which mitigates persistence/privilege concerns.
Assessment
This skill appears to be what it says: a local vector-memory using PostgreSQL + pgvector and a local embedding service. Before installing: (1) correct/confirm metadata — set VECTOR_MEMORY_DB_PASSWORD (the registry metadata omitted this required env var); (2) review the three included Python scripts yourself (embedding_service.py, memory_reindex.py, memory_search.py); (3) run in a container/VM if you want isolation (the README recommends Docker); (4) understand the first run will download ~1.3GB of model weights from HuggingFace (network access and model provenance risk); (5) do not put secrets or API keys in MEMORY.md/IDENTITY.md/USER.md because those files will be indexed and stored in the DB; (6) the install docs optionally append an autostart entry to your shell profile — only allow that if you trust and have reviewed the snippet. If you want more assurance, ask the author to fix the registry metadata (declare the required env var) and provide checksums or a pinned HF model source.Like a lobster shell, security has layers — review code before you run it.
latestvk97aywtqhb3f54943f2nykz8r1811vmz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.