Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Life Memory Logger - 生活记忆记录器
v1.0.0生活记忆记录器。帮你记录人际交往中的重要细节(生日、喜好、承诺),自动提醒跟进,让你成为更贴心的人。
⭐ 0· 31·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description match the runtime instructions: storing personal facts, events, and reminders. However the SKILL.md references helper scripts (scripts/*.py) and fixed storage paths under /memory/life-memories that are not present in the package and were not declared as required binaries; that mismatch suggests the provided bundle is incomplete or expects the agent to create/execute code that doesn't exist.
Instruction Scope
Instructions direct the agent to extract and persist sensitive personal data (health, pregnancy, finances) and manage deletion. They specify absolute filesystem paths (e.g., /memory/life-memories/people/[name].json) and scheduled tasks (cron-like entries) but do not define how reminders are delivered or what runtime has permission to run scheduled jobs. The instructions allow broad discretion (e.g., how to send reminders), which could lead to unexpected exfiltration or use of external channels unless the platform enforces strict sandboxing and delivery policies.
Install Mechanism
No install spec and no code files are included, so nothing will be downloaded or written by an installer. That minimizes supply-chain risk — but it also means important referenced artifacts (scripts referenced in SKILL.md) are missing from the package.
Credentials
The skill requests no environment variables or credentials, which is appropriate for an offline/local memory logger. However, SKILL.md references scripts and schedule execution without declaring required runtimes (e.g., Python). If those scripts are expected to run, the skill should declare required binaries or environment access; their absence is an inconsistency.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The SKILL.md defines scheduled tasks (cron expressions) which imply periodic execution; this is reasonable for reminders but the mechanism (who registers the schedule, where prompts run, what permissions they have) is unspecified. No indication the skill modifies other skills or global agent settings.
Scan Findings in Context
[no_findings_instruction_only] expected: Regex scanner found nothing because this is an instruction-only skill with no code files. The SKILL.md does reference scripts (scripts/*.py) that are not included; that absence is notable but not a scanner finding.
What to consider before installing
This skill describes a reasonable, local 'memory' feature but has some important gaps and privacy risks. Before installing or enabling it: 1) Confirm where the platform will store the /memory/life-memories files and whether those paths are writable and sandboxed — prefer a user-scoped directory rather than a root-level absolute path. 2) Ask for the missing scripts (scripts/extract_memory.py, search_memory.py, generate_reminder.py) or clarify how extraction/search/reminders are implemented; don't trust an agent to 'create' code on the fly. 3) Verify how reminders are delivered (local notifications, email, push, external API) and ensure no external endpoints are used without explicit consent. 4) Ensure deletion works (test '忘记那个') and consider encrypting stored data and restricting access. 5) If you will store health/financial/pregnancy or other sensitive data, confirm explicit consent flows and stronger protections. If these clarifications are not provided, treat the skill as unsafe to enable for sensitive data.Like a lobster shell, security has layers — review code before you run it.
latestvk9715nbnzq276vcabjjrzeyv7d83wqkr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.