Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Memory Boost
v1.1.1Simple text-based memory system for AI assistants - auto-install script included
⭐ 0· 116·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Declared purpose is a simple text-based memory system and the included install.sh creates plain-text memory files — that is consistent. However, SKILL.md repeatedly references files under the home directory (~/MEMORY.md, ~/memory/...) while install.sh writes files into WORKSPACE_DIR (two levels above the script). This path mismatch is an incoherence: users or agents following the SKILL.md may read/write different locations than the installer creates.
Instruction Scope
SKILL.md contains explicit, 'MANDATORY' system directives that require the AI to automatically read these memory files at session start and write them after tasks. That behavior is within the claimed purpose (memory), but the mandatory language gives the skill strong influence over agent behavior and could cause frequent automatic reads/writes of possibly sensitive data. The instructions do not reference unrelated files or credentials, but they give broad discretion to read/write user files every session.
Install Mechanism
There is no network install; install.sh is bundled and only creates local markdown files. This is low-risk compared to downloads, but the installer uses a WORKSPACE_DIR calculation (dirname(dirname(script_dir))) rather than the home (~) paths referenced elsewhere, which is an inconsistency to verify before running.
Credentials
The skill requests no environment variables, no credentials, and doesn't reach out to external endpoints. The lack of required secrets is proportionate to a local text-memory feature.
Persistence & Privilege
The skill is not set to always:true and does not request platform-level privileges. However, its SKILL.md attempts to impose mandatory persistent behavior on the agent (always read/write memory files every session), which effectively grants the skill ongoing influence over the agent's data flow. Combine that with any external integrations the agent has and the blast radius increases.
What to consider before installing
Before installing or running the installer: 1) Inspect where files will be created — install.sh creates files in WORKSPACE_DIR (two levels above the script); SKILL.md tells the agent to use ~/ paths. Confirm which location you want and edit the script or SKILL.md to match. 2) Consider sensitivity: MEMORY.md will store long-term plain-text data. Don't store passwords, API keys, or PII there. 3) If your agent has external integrations (webhooks, plugins, or cloud connectors), understand that automatic read/write of these files could leak memory contents; restrict or review outbound integrations before enabling automatic memory writes. 4) Run the installer in a safe test workspace first to confirm behavior. 5) If you want tighter control, remove or modify the SKILL.md's mandatory instructions so writes occur only when explicitly requested, or redirect memory files to an encrypted location or a workspace the agent cannot exfiltrate from. If you want me to, I can show exact edits to align paths or to make writes explicit rather than mandatory.Like a lobster shell, security has layers — review code before you run it.
best-practicevk976m0mm57sd4fs42g3n2f0shh83e367latestvk9799ctpsc5jge3a53bs2kzsns840ey8memoryvk976m0mm57sd4fs42g3n2f0shh83e367productivityvk976m0mm57sd4fs42g3n2f0shh83e367text-basedvk976m0mm57sd4fs42g3n2f0shh83e367workflowvk976m0mm57sd4fs42g3n2f0shh83e367
License
MIT-0
Free to use, modify, and redistribute. No attribution required.