Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Memory Archiver

v10.3.0

记忆管理技能 - 三层时间架构 + 自动搜索/提取/会话笔记统一 Hook + 记忆巩固（整合 auto-dream）

⭐ 0· 227·1 current·1 all-time

byc32@amd5·duplicate of @amd5/memory-tiered

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

Capability signals

Crypto

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

Name/description align with the code: hooks for message:received, agent:bootstrap loader, scripts for searching, extracting, classifying, aging, deduping and consolidating MEMORY.md. The files read and write only under ~/.openclaw/workspace (memory, hooks, MEMORY.md, SESSION-STATE.md), which is coherent with a local memory-archiver skill.

ℹ

Instruction Scope

SKILL.md and hook handlers instruct the agent to read/write many workspace files, deploy hooks and add cron jobs — expected for this skill. Important runtime behaviors to note: several scripts permanently remove or move files (memory-aging.js deletes aged/excess files; memory-dedup.js modifies MEMORY.md; dream-consolidate moves/archives files). These destructive actions are consistent with 'aging' and 'cleanup' features but are high-impact and should be acceptable to the user. Also: some handlers/scripts invoke other scripts via shell (see bootstrap-loader invoking bash on a .js script), which is inconsistent with other places that call node directly.

✓

Install Mechanism

No network downloads or package installs are declared. There's no registry install spec — installation is script-driven (scripts/install.js or clawhub install). All code is included in the bundle. This is lower risk than remote download installers, but the install script attempts to auto-register hooks and add cron jobs via the openclaw CLI and prints a systemctl restart suggestion.

✓

Credentials

The skill requires no environment variables or external credentials in metadata. Runtime code uses only process.env.HOME to find the workspace — proportional for a local filesystem-based memory manager. No cloud endpoints or secret exfiltration are requested.

ℹ

Persistence & Privilege

The skill installs a persistent hook (message:received) and adds 3 cron jobs to run consolidation/archiving tasks. always is false. Autonomous invocation via hooks/cron is the feature’s intent and is expected, but this gives the skill ongoing execution and file-modification capability inside the user's workspace — review/consent is recommended before enabling.

Assessment

This skill appears to do what it says: local memory indexing, search, extraction, consolidation and pruning. Before installing: 1) Back up ~/.openclaw/workspace/MEMORY.md and your memory/ directory because several scripts will move or delete files (memory-aging.js, memory-dedup.js, dream-consolidate.js). 2) Inspect scripts/install.js if you prefer to register hooks and cron jobs manually instead of letting the installer do it automatically. 3) Note a few inconsistent/odd calls: some code runs bash against .js files (bootstrap-loader runs `bash ".../memory-loader.js"`, dream-consolidate runs `bash` on memory-dedup.js) — this looks like a conversion artifact and should be harmless if node is used instead, but you might want to change those to `node` or confirm behavior. 4) If you are cautious, run the scripts in dry-run modes where available (memory-aging.js supports --dry-run; dream-consolidate.js has --status and --force) and test install in a disposable environment first. 5) Because the skill will run repeatedly (hooks/cron), keep an eye on what it writes or deletes for the first few runs and disable the hook if behavior is not what you expect.

✗

hooks/handler.js:147