ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Memory Orchestrator

v1.0.2

Production-grade memory optimization, compression, and adaptive retrieval routing for OpenClaw. Works in local-only mode; Ollama and remote vector DB are opt...

0· 56·0 current·0 all-time
byChengJun@che52078
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description (memory compression, routing, local-only support) matches the included scripts which operate on a local OpenClaw workspace. However, the code also reads and dynamically imports modules from an OPENCLAW_WORKSPACE path and references optional remote endpoints (MEMORY_REMOTE_URL), which are not declared in the metadata. Requiring access to arbitrary files under a workspace and dynamically loading modules is broader than a simple 'memory compression' helper and should be expected only if the user intends the package to manage a workspace.
!
Instruction Scope
SKILL.md tells the user to run install.sh. The repository contains many scripts that read/write files under OPENCLAW_WORKSPACE (default ~/.openclaw/workspace), and one core script (memory-token-pipeline.py) dynamically loads modules from that workspace. The scripts also import urllib and use environment variables like MEMORY_REMOTE_URL which — if set — can enable network transmission of memory data. The SKILL.md/README claim 'ClawHub Safe Mode' and 'No automatic pip install' but the package includes an installer with pip-install logic (install_python_deps) and other runtime behaviors; this mismatch is concerning and warrants manual review.
Install Mechanism
There is no remote download or third-party install URL in the install spec — install.sh runs the included hm4d_installer.py. That installer only manipulates local files and attempts to copy scripts into the user's workspace; it does not fetch archives from unknown servers. This is lower risk than an arbitrary URL download, but the installer is opinionated about workspace layout and will execute Python subprocesses (pip, runtime checks).
!
Credentials
The skill metadata declares no required env vars, but the code uses several environment values (OPENCLAW_WORKSPACE, MEMORY_REMOTE_URL, MEMORY_REMOTE_COLLECTION, MEMORY_REMOTE_TENANT, MEMORY_REMOTE_DATABASE). If MEMORY_REMOTE_URL (or similar) is set, the code path for remote syncing could transmit memory records. The installer also mentions optional ollama installation and constructs shell commands in fallback text. The presence of undeclared env vars and potential network endpoints is disproportionate without explicit user consent and documentation in the metadata.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The installer copies many scripts into the user's OPENCLAW_WORKSPACE (creating files under ~/.openclaw/workspace by default). That is a persistent footprint in user home, but it does not modify other skills or system-wide config beyond the user's workspace. Autonomous invocation is allowed by default (not flagged on its own), but combined with the ability to execute workspace modules it increases the blast radius.
What to consider before installing
This package contains many local Python scripts that operate on a workspace directory (default ~/.openclaw/workspace) and can dynamically import and execute code from that workspace. Before running bash install.sh or trusting this skill: 1) Inspect the key files (scripts/memory-token-pipeline.py and scripts/hm4d_installer.py) for any network calls or exec of user files. 2) Ensure you do not have MEMORY_REMOTE_URL or other memory-related env vars set (or review their values) — if set, the skill may send memory data to that endpoint. 3) Run the installer in a sandbox or container, or on a test account, because it will create and copy scripts into your workspace. 4) The README claims 'safe-mode' / 'no automatic pip install', but the codebase contains installer logic that references pip operations and fallback install commands — assume it may attempt to install or run components unless you confirm otherwise. If you are not comfortable with the skill reading/writing under your home directory, dynamically loading workspace modules, or optionally syncing to remote endpoints, do not install it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c0jdfr9mk3wkk7zka8v7g1583r6s8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments