Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Memoclaw Skill
v1.23.5Memory-as-a-Service for AI agents. Store and recall memories with semantic vector search. 100 free calls per wallet, then x402 micropayments. Your wallet add...
⭐ 4· 2.3k·14 current·15 all-time
byAna@anajuliabit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's purpose (semantic memory storage via MemoClaw) aligns with the included CLI commands and API docs, but the registry metadata declares no required environment variables or credentials while SKILL.md and scripts explicitly require MEMOCLAW_PRIVATE_KEY (wallet auth) and a memoclaw CLI. The omission of those requirements from the metadata is inconsistent and unexplained.
Instruction Scope
Runtime instructions (SKILL.md) instruct the agent to run the memoclaw CLI (installable via npm), call api.memoclaw.com over HTTPS, run interactive initialization (memoclaw init), and the preflight script reads ~/.memoclaw/config.json or the MEMOCLAW_PRIVATE_KEY env var. These instructions grant the agent ability to run shell commands, access a local wallet config, and perform network calls — all consistent with the skill's purpose but sensitive in practice and not fully declared in the manifest.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but SKILL.md tells users to run `npm install -g memoclaw`. Installing a global npm package is a normal flow for a CLI client but does carry the usual risks of third-party packages; the skill itself does not automatically download or extract code. Two included helper scripts exist (preflight.sh, sync-nested.sh) but are not executed by default by the platform.
Credentials
SKILL.md and scripts require a sensitive credential (MEMOCLAW_PRIVATE_KEY) and read/write a local config (~/.memoclaw/config.json), but the registry metadata lists no required env vars or primary credential. Requesting a private key (or otherwise controlling a wallet) is high-sensitivity and should be explicitly declared and justified in the manifest — the current mismatch is disproportionate and unexplained.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform-wide privileges. A provided helper script (scripts/sync-nested.sh) copies docs into a .agents/skills/memoclaw path which would write files into a repo tree if run; the script is present but not automatically executed. Overall persistence/privilege requests appear moderate but warrant review before executing included scripts.
What to consider before installing
Before installing or running this skill: (1) Ask the publisher why MEMOCLAW_PRIVATE_KEY (a private wallet key) and the memoclaw CLI are not declared in the registry metadata — this is an omission. (2) Do NOT expose your primary wallet/private keys. If you must provide a private key, create a dedicated, low-value wallet funded only for testing. (3) Inspect the memoclaw npm package source (and its npm publisher) before running `npm install -g memoclaw` to confirm there are no surprises. (4) Avoid exporting MEMOCLAW_PRIVATE_KEY into long-lived CI or shared environments; prefer running the interactive memoclaw init which stores keys locally if you trust the CLI. (5) Treat the included scripts (preflight.sh, sync-nested.sh) as developer utilities; review their content before executing — sync-nested.sh writes files into a .agents/skills path. If you want higher confidence, request that the skill author update registry metadata to explicitly list required env vars (MEMOCLAW_PRIVATE_KEY), required binaries (memoclaw), and clarify exactly what the agent will execute and when.Like a lobster shell, security has layers — review code before you run it.
latestvk9775v2w65hse0y515tvydyh39836xrm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.