Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (team/shared memory) match the included scripts: sync.js performs local copy/sync of markdown memories under ~/.openclaw/workspace and secret-scan.js looks for common secret patterns. No credentials, external services, or unrelated binaries are required.
Instruction Scope
SKILL.md and scripts limit actions to local filesystem operations (reading/writing under HOME/.openclaw/workspace and scanning user-supplied paths). The secret scanner can be invoked against arbitrary directories (--dir) and will read many text file types—this is expected for a scanner but means it can examine any files you point it at.
Install Mechanism
There is no install spec or remote download; the skill is instruction-only with two included Node.js scripts. Requirement is node >=18. No archives or external installers are fetched.
Credentials
The scripts implicitly use process.env.HOME to locate the workspace, which is proportional to a local-sync tool. The skill requests no environment secrets or config paths. Users should note the implicit reliance on the HOME path and file permissions.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or global agent configs. It writes state and lock files only under ~/.openclaw/workspace/memory/team, which is consistent with its sync purpose.
Assessment
This skill appears to do what it claims: local syncing of markdown 'memory' files and local secret scanning. Before installing or running it, review and be comfortable with these points: (1) the scripts operate on your filesystem under $HOME/.openclaw/workspace and will read/write files there—ensure you trust the author and that the workspace path is appropriate; (2) secret-scan can be pointed at any directory and will read many file types to detect sensitive tokens—do not run it against system or root-owned directories with elevated privileges unless you intend to; (3) there is no network communication in the included code, so it does not exfiltrate secrets, but you should still inspect and run the scripts in a safe environment first; (4) verify Node.js >=18 and run with least privilege; and (5) the package author is unknown—if you need higher assurance, ask for provenance or a code-signing/source repo before enabling automated runs.Like a lobster shell, security has layers — review code before you run it.
latestvk972nend1csqdbg5sndq9tcafx84t2xr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.