Core Capabilities V2
Security checks across malware telemetry and agentic risk
Overview
This memory tool is mostly purpose-aligned, but its monitor server can expose local memory/workspace data over an unauthenticated network interface and trigger a local command.
Use the memory query tool only after backing up any existing memory.db. Do not run monitor_server.py on an untrusted network unless you first change it to bind to localhost, add authentication, remove wildcard CORS, and restrict what files/API fields it serves. Run setup_cron.sh only if you want a persistent 30-minute sync job and verify your crontab afterward.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the monitor server is run, anyone who can reach the port, or a website loaded in the user's browser, may be able to read exposed workspace files or memory API responses.
The server binds to all interfaces, serves a broad workspace directory, and allows cross-origin browser reads without authentication.
WORKSPACE = Path("/home/awu/.openclaw/workspace") ... super().__init__(*args, directory=str(WORKSPACE), **kwargs) ... self.send_header('Access-Control-Allow-Origin', '*') ... with socketserver.TCPServer(("", port), MemoryMonitorHandler) as httpdBind the server to 127.0.0.1 by default, serve only specific status files, remove wildcard CORS, add authentication, and clearly document the actual port and exposure model.
Private notes or memory records could be exposed through the monitoring API if the server is reachable.
The HTTP API returns memory names, descriptions, content, and source files from the SQLite database, with no authentication shown.
elif self.path == '/api/memories': ... SELECT id, name, description, type, content, source_file, created_at, classified_type FROM memories ... LIMIT 100
Require a local-only authenticated token for memory APIs, minimize returned fields, and avoid exposing full memory content unless the user explicitly requests it.
Anyone who can access the monitor endpoint can trigger local command execution of the refresh script, and the executed script is outside the reviewed package contents.
A GET request to the refresh endpoint triggers a shell command that runs a local Python script from the workspace.
elif self.path == '/api/refresh': self.refresh_status() ... os.system(f"cd {WORKSPACE} && python3 cron_monitor.py > /dev/null 2>&1")Do not expose shell execution through an unauthenticated HTTP endpoint; replace it with a reviewed internal function or require local-only authenticated access.
Running a normal query or sync could erase existing memory database records after a schema mismatch.
The database initializer can automatically drop the memories table if the schema does not match, without a visible backup or confirmation step.
if columns and not required_columns.issubset(columns):
# 删除旧表重新创建
cursor.execute("DROP TABLE IF EXISTS memories")Use a non-destructive migration path, create an automatic backup before schema changes, and ask for confirmation before deleting user memory data.
The skill can keep running periodic sync work after initial setup, changing the local memory database and writing logs.
The setup script installs a recurring background sync job every 30 minutes when the user runs it.
echo "*/30 * * * * cd $SCRIPT_DIR && python3 $PYTHON_SCRIPT --sync-now >> $LOG_FILE 2>&1") | crontab -
Run setup_cron.sh only if periodic sync is desired, inspect crontab after setup, and remove the job when no longer needed.
Private or untrusted markdown content placed in the memory directory may be stored and reused in future memory queries.
The tool persists markdown memory content into a local SQLite database for later querying.
DB_PATH = Path(__file__).parent / "memory.db" ... MEMORY_DIR = Path(__file__).parent / "memory" ... INSERT OR REPLACE INTO memories ... content, source_file
Keep secrets out of the memory directory, protect memory.db and logs, and treat retrieved memory content as untrusted unless verified.