Nm Memory Palace Digital Garden Cultivator
AdvisoryAudited by Static analysis on May 9, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user should not provide tokens or account access unless separate trusted documentation clearly explains why they are needed.
The artifact metadata/signals mention sensitive credential-related capability, but the reviewed skill files and requirements do not identify any token, account, service, or scope. This looks like a capability-signal ambiguity rather than evidence of credential handling.
Capability signals: crypto; requires-oauth-token; requires-sensitive-credentials ... Required env vars: none ... Primary credential: none
Clarify or remove the credential capability signals; if credentials are ever required, document the exact service, scopes, storage, and use.
Running an unreviewed local script could execute code that was not included in this skill package.
The Quick Start references a Python helper script, but the provided manifest contains only markdown files and no install spec. Metrics generation is purpose-aligned, but any local or externally obtained script would be outside this review.
python scripts/garden_metrics.py path/to/garden.json --format brief
Run the metrics command only if you can inspect and trust the referenced script, or install the upstream plugin from a trusted source.
Private ideas, session summaries, or incorrect notes could persist and be reused later.
The skill is intentionally about persistent knowledge bases and may incorporate session-derived insights. That is purpose-aligned, but stored notes can contain sensitive information or influence future retrieval.
Builds dynamic knowledge bases that evolve over time ... `session-palace-builder` - Seed garden from session insights
Keep secrets out of the garden, review imported session insights, and define where garden content is stored and reused.
Useful notes could be archived or deleted if the inactivity rule is applied too aggressively.
The maintenance workflow can remove or archive content based on inactivity. This is expected for garden maintenance, but broad application without confirmation could cause unintended note loss.
Archive | After 30 days inactive | Move to archive or delete
Require confirmation before deletion, prefer archiving over deletion, and back up the garden before bulk maintenance.
A repository commit could skip checks that normally catch mistakes or unsafe changes.
The troubleshooting section includes a command pattern for bypassing pre-commit hooks. It is user-directed and says to fix issues afterward, but bypassing hooks can skip quality or security checks.
Run `SKIP=... git commit` to bypass temporarily, then fix issues
Use hook bypasses only when you understand the hook being skipped and have a plan to run or satisfy the checks afterward.