Nm Memory Palace Knowledge Locator
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: nm-memory-palace-knowledge-locator Version: 1.0.2 The skill bundle provides documentation and command structures for a 'Knowledge Locator' system designed to search and navigate hierarchical data structures (memory palaces). While it references an external script (`scripts/palace_manager.py`) that is not included in the provided files, the instructions in SKILL.md and the technical modules are consistent with the stated purpose of information retrieval and context-aware searching. There are no signs of malicious intent, data exfiltration, or harmful prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Sensitive, stale, or poisoned stored knowledge could be repeatedly surfaced into future tasks and influence the agent’s work.
The skill is designed to index all stored memory palaces, connect them, and track usage patterns for later retrieval, but the artifacts do not define scope limits, exclusions, retention, or validation of retrieved memories.
1. **Build Index** - Create spatial index of all palaces ... 3. **Map Cross-References** ... 5. **Analyze Patterns** - Track and optimize based on usage
Install only if you understand which palaces are indexed; add or verify controls for palace selection, source review, retention, and clearing/rebuilding indices.
The skill or its dependencies may request or use sensitive credentials in a way that is not clear from the user-facing documentation.
The credential contract is inconsistent: the requirements say no credentials are needed, but capability signals indicate OAuth or sensitive credential use without explaining which account, token, or scope is involved.
Required env vars: none ... Primary credential: none ... Capability signals: requires-oauth-token; requires-sensitive-credentials
Before installing, confirm why OAuth or sensitive credentials are signaled, what service they belong to, and what permissions they grant.
Following the documented commands may rely on code outside this review, which could have different permissions or behavior than the skill text suggests.
The documented workflows depend on an external plugin/script that is not included in this instruction-only package, so the referenced runtime behavior cannot be verified from the supplied artifacts.
For the full experience with agents, hooks, and commands, install the Claude Code plugin. ... python scripts/palace_manager.py search "authentication" --type semantic
Inspect the referenced plugin and palace_manager.py before using the command workflows, especially if they access private memories or credentials.