Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Project Context Manager
v1.0.0Project-based agent context management system for maintaining long-term memory and project state across sessions. Use when starting or continuing any softwar...
⭐ 0· 134·0 current·0 all-time
by崔之行@changer-changer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description describe project-level context and long-term memory; the skill is instruction-only and requires no external credentials or binaries. The required read/write of PROJECT_CONTEXT.md and AI_memory/ is coherent with 'project context manager' functionality.
Instruction Scope
The SKILL.md instructs the agent to record detailed 'cognitive processes' in AI_memory/ and to append never-delete history to PROJECT_CONTEXT.md (session traces, self-corrections, 'Aha! moments', etc.). That effectively preserves chain-of-thought and possibly sensitive project or user data permanently. It also mandates updates 'BEFORE outputting suggestions', increasing the chance internal reasoning and intermediate drafts are persisted. There are no safeguards described for redacting secrets or limiting retention or scope.
Install Mechanism
No install spec and no code files — lowest-risk delivery method. Nothing is downloaded or written by an installer by default; all behaviors come from agent-run operations following the instructions.
Credentials
The skill does not request environment variables or external credentials (proportional). However, its TechSpec and routines encourage recording environment details (OS, CUDA, versions) and other system constraints into persistent files. Collecting and storing such system metadata may be unnecessary for some projects and could leak sensitive configuration info.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. However, it explicitly requires creating and keeping append-only logs (PROJECT_CONTEXT.md @History and AI_memory/ traces), which yields long-lived on-disk data that may grow unbounded and retain potentially sensitive content unless the user controls where those files are written.
What to consider before installing
This skill is coherent with its stated goal but stores detailed, persistent project and agent reasoning files (PROJECT_CONTEXT.md and AI_memory/). Before using it: 1) Decide and confirm the exact directory where these files will be written (limit to a non-sensitive project folder). 2) Add those files to .gitignore or other VCS ignore rules as appropriate to avoid accidental commits. 3) Expect that internal reasoning, intermediate drafts, environment info, and possibly secrets could be recorded — sanitize inputs and avoid pasting secrets into prompts. 4) Consider adding explicit retention/rotation policies or manual review steps for PROJECT_CONTEXT.md and AI_memory/; require redaction of secrets. 5) If you need privacy for the project, avoid enabling automatic session-trace logging or restrict the skill to trusted/non-sensitive projects. If you want me to, I can draft a safer, privacy-preserving variant of the protocols (e.g., redaction checks, optional retention limits, or opt-in tracing).Like a lobster shell, security has layers — review code before you run it.
latestvk975jk0cf0560ntmdmg7xty7rh834ae5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.