Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Smart Memory
v2.5.1Persistent local cognitive memory for OpenClaw via a Node adapter and FastAPI engine.
⭐ 0· 105·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description match the included code: FastAPI server, Node adapter, ingestion/retrieval, background cognition, and OpenClaw hooks. The files and exported methods align with a local memory runtime. Minor mismatch: code reads an env var (COGNITIVE_EMBEDDER) and supports Nomic embeddings but requires no declared env vars in the registry metadata.
Instruction Scope
SKILL.md instructs agents/operators to inject active context into the agent base prompt and to run priming scripts that read local files (SOUL.md, USER.md, .session-memory-context.json, memory/YYYY-MM-DD.md). This is functionally consistent with a memory skill, but the explicit advice to modify the agent base prompt and to run startup scripts is a prompt-injection vector that can influence model behavior beyond typical tool calls. The docs also instruct reading workspace files — appropriate for memory but increases risk of accidental exposure of sensitive files if misconfigured. The changelog references earlier path-traversal fixes and allowlists, which mitigates some file-read risk but the runtime instructions still grant broad discretion to read and inject local context.
Install Mechanism
There is no automated install spec in the registry, but SKILL.md directs full local installation (python venv, pip install torch from PyTorch CPU index, pip -r requirements, npm install). The package contains postinstall.js and install scripts (postinstall, install.sh, smem-hook.sh). More importantly, the local Nomic embedder uses sentence-transformers with trust_remote_code=True and model nomic-ai/nomic-embed-text-v1.5 — this will fetch models/code from remote hosts during install/runtime. That behavior increases risk and should be reviewed before running network install steps.
Credentials
Registry metadata declares no required env vars or credentials, which is consistent with a local-only memory skill. However, the code checks COGNITIVE_EMBEDDER (not declared) and the Nomic embedder may fetch remote weights/code. There are no cloud API keys requested, which is good. The combination of on-disk storage under data/ and instructions to copy scripts into ~/.openclaw implies write/read access to home/workspace files — appropriate for a memory runtime but not proportionally trivial, so operators should confirm intended storage locations and permissions.
Persistence & Privilege
The skill is not force-included (always:false) and does not itself request system-wide privileges. However, documentation instructs copying priming scripts into user home and adding lines to the agent base prompt; those are manual steps that, if followed, make the agent read local context automatically at startup. That is expected for a memory skill but increases the blast radius if the skill or its prompt guidance is malicious.
Scan Findings in Context
[system-prompt-override] expected: SKILL.md explicitly asks you to add guidance to the agent base prompt and to inject [ACTIVE CONTEXT] before responses. This is expected for a memory/priming integration, but it is also a form of prompt injection that can alter model behavior — review the exact text before applying to production agents.
What to consider before installing
This package appears to implement a full local memory runtime and mostly does what it says, but there are several elevated-risk items to review before installing and wiring it into a live agent:
- Prompt injection: The SKILL.md recommends adding lines to your agent base prompt and using hooks that inject [ACTIVE CONTEXT] before model responses. That will change the model's system-level guidance; inspect/modify those lines to ensure they don't give unintended privileges or instructions.
- Local file access: The integration/priming steps read local files (SOUL.md, USER.md, memory/YYYY-MM-DD.md and other workspace files). Confirm the allowlist/path restrictions and verify the server's code (search for any file-read code) so it doesn't access unintended system files. The changelog mentions path-traversal fixes and an allowlist, but you should validate those protections in the code shipped to you.
- Remote code/model downloads: The Nomic embedder uses sentence-transformers with trust_remote_code=True and a nomic model — installing or instantiating this will download remote model artifacts and may execute code. If you must use this embedder, prefer a controlled environment (air-gapped or vetted model wheels) or use the deterministic hashing embedder fallback.
- Post-install scripts: Review postinstall.js, install.sh, and smem-hook.sh before running npm/pip install. Run installs inside an isolated virtualenv or container and avoid running as root.
- Run in isolation first: Start the memory service in a container or VM with mounted data volumes you control, and verify network activity before connecting it to production agents. Monitor the service's outgoing network calls during model downloads and runtime.
- If you plan to auto-wire this into an agent's startup flow, consider keeping the memory server as a sidecar process and require explicit operator approval before the agent adopts injected system prompts.
If you want, I can point to the exact files/functions to audit (postinstall.js, smem-hook.sh, embeddings/nomic_embedder.py, and any file-read paths) or create a short checklist of lines to review.examples/session-start/nodejs-agent.js:49
Shell command execution detected (child_process).
smart-memory/index.js:158
Shell command execution detected (child_process).
smart-memory/postinstall.js:14
Shell command execution detected (child_process).
smart-memory/index.js:11
Environment variable access combined with network send.
skills/smart-memory-v25/README.md:45
Prompt-injection style instruction pattern detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk976kqph8nwth4a3312pbneb0183g94t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.