Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Fractal Memory
v1.0.0Automated hierarchical memory compression system that prevents context overflow through daily→weekly→monthly→core compression. Use when you need (1) long-ter...
⭐ 0· 621·0 current·0 all-time
byBaiyuan Chiu@bugmaker2
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The scripts and SKILL.md match the stated purpose (daily→weekly→monthly→MEMORY.md rollups). However there are inconsistencies: some scripts hardcode WORKSPACE = /Users/brianq/.openclaw/workspace while others use Path.home()/.openclaw/workspace, and rollup-daily.py invokes an external 'openclaw' CLI (openclaw ask) even though the skill metadata lists no required binaries or credentials. The hardcoded path and undeclared external CLI are disproportionate to a purely local file rollup and may cause unexpected file writes or failures.
Instruction Scope
Instructions tell the agent/user to copy scripts into ~/.openclaw/workspace, set up cron jobs, and update AGENTS.md so sessions will read/write many local files (SOUL.md, USER.md, daily/monthly files). rollup-daily.py will send full diary text to an LLM via the 'openclaw ask' CLI — this transmits private diary content to an external model. The cron examples reference running an update_now.py which is not present in the bundle. Overall the instructions stay within the memory-management goal but include explicit external data transmission and reference missing artifacts.
Install Mechanism
There is no remote download or complex installer: user is instructed to copy provided Python scripts into their workspace and make them executable. That is low-risk from supply-chain perspective. All code is included in the skill bundle (no external archives).
Credentials
The skill declares no env vars/credentials, which is consistent with a local file-based tool, but rollup-daily.py requires the 'openclaw' CLI (to call an LLM) and will therefore rely on the agent/platform's credentials implicitly — this is not documented in requires.env. The hardcoded path (/Users/brianq/...) in two scripts is unexpected and could be inappropriate on other systems. Requesting filesystem access to ~/.openclaw/workspace and the ability to create cron jobs is proportionate to the purpose, but the implicit transmission of diary contents to an external model needs explicit disclosure and user consent.
Persistence & Privilege
The skill does not request always:true or modify other skills. It asks you to add cron jobs and copy scripts into your workspace (user-controlled actions). It does write state files (rollup-state.json, integrity.json) under the user's workspace, which is expected and scoped to its memory domain.
What to consider before installing
This skill is coherent with its stated goal (automated rollups) but has several things to check before you install: 1) Privacy: rollup-daily.py sends your full daily diary text to an external LLM via the 'openclaw ask' CLI — if that LLM is remote, your private notes will leave your machine. Confirm you are comfortable with that and that your agent/CLI credentials are intended to be used for this. 2) Path inconsistencies: two scripts hardcode /Users/brianq/.openclaw/workspace while others use Path.home(); update those paths to your own workspace before running to avoid writes to unexpected locations. 3) Undeclared dependencies: the SKILL.md and registry do not declare that 'openclaw' and Python3 are required; ensure those binaries exist and that 'openclaw ask' behavior is acceptable. 4) Missing artifact: cron examples reference update_now.py which is not included — verify cron payloads before adding jobs. 5) Test first in an isolated or backed-up workspace: run the scripts manually, inspect what files they create/modify (memory/, integrity.json, rollup-state.json, MEMORY.md), and run verify_memory_integrity.py to see detected changes. If you need stronger privacy, set USE_LLM = False in rollup-daily.py (falls back to heuristic extraction) or remove the openclaw ask call entirely.Like a lobster shell, security has layers — review code before you run it.
latestvk977qcv8yv1w3ysggk6w9z61p981c3as
License
MIT-0
Free to use, modify, and redistribute. No attribution required.