Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Central Intelligence
v1.1.0Persistent memory across sessions. Remember facts, recall them later with semantic search, and share knowledge between agents. Use when you need to store inf...
⭐ 0· 71·0 current·0 all-time
byAlex@alekseimarchenko
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a memory service that stores and recalls facts via an external API and requires an API key (CI_API_KEY). That capability matches the skill name/description. However, the registry metadata at the top of the submission lists no required env vars while SKILL.md declares CI_API_KEY as required — an inconsistency between declared registry requirements and the runtime instructions.
Instruction Scope
The instructions are narrowly scoped to calling the external memory API (remember, recall, context, forget, share) and include sensible behavior rules (don't store secrets, respect scopes, consent for auto‑load). They do not direct the agent to read unrelated files or other environment variables. However, the core behavior is to transmit user-provided content (memories) to a third‑party endpoint; that means any data you store will leave the host and be persisted externally, which is an important privacy boundary to be aware of.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill itself. That reduces installation risk.
Credentials
The service requires one secret (CI_API_KEY) which is proportionate for a hosted API. The concern is the mismatch between the registry summary (no required env vars) and SKILL.md (requires CI_API_KEY). Also, because stored memories are sent to a third party, accidental storage of secrets or PII would expose them externally — the SKILL.md warns not to store them, but enforcement relies on the agent and user.
Persistence & Privilege
always is false (good). The skill can be invoked autonomously (default platform behavior). Because memories can be promoted to user/org scope and shared between agents, an autonomously invoked skill increases the blast radius if misused — but autonomous invocation alone is normal for skills. Consider limiting automatic context loading and reviewing scope promotion actions.
What to consider before installing
This skill implements persistent memory by sending content to a third‑party API (https://central-intelligence-api.fly.dev) and requires an API key (CI_API_KEY) per the SKILL.md. Before installing: (1) confirm the registry metadata is updated to declare CI_API_KEY as required so there is no surprise; (2) verify and review the service's privacy/security posture (owner, privacy policy, data retention, encryption) — the homepage and API base names differ and should be checked; (3) never provide or store secrets, PII, or credentials via this memory service; (4) start by testing with non‑sensitive sample data to confirm behavior; (5) consider disabling automatic context loading and limit scope promotions (agent → user/org) until you trust the service; (6) if you rely on strong governance, prefer a memory backend you control or one with explicit enterprise controls. If you want, ask the skill author or registry owner to fix the metadata mismatch and provide a clear security/retention policy for stored memories.Like a lobster shell, security has layers — review code before you run it.
agentsvk973xja8d1zvnjj5n3h1yb7zhx83hmn9contextvk973xja8d1zvnjj5n3h1yb7zhx83hmn9latestvk973xja8d1zvnjj5n3h1yb7zhx83hmn9mcpvk973xja8d1zvnjj5n3h1yb7zhx83hmn9memoryvk973xja8d1zvnjj5n3h1yb7zhx83hmn9recallvk973xja8d1zvnjj5n3h1yb7zhx83hmn9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.