Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Chen Memory Setup
v1.0.0Enable and configure Moltbot/Clawdbot memory search for persistent context. Use when setting up memory, fixing "goldfish brain," or helping users configure m...
⭐ 0· 87·1 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description align with the SKILL.md: it configures memorySearch, MEMORY.md, and memory/ logs — all expected. However, the documentation references setting VOYAGE_API_KEY and OPENAI_API_KEY although the skill's declared requirements list no environment variables; additionally the registry ownerId differs from the _meta.json ownerId, which suggests a packaging/metadata inconsistency that merits verification.
Instruction Scope
The instructions are narrowly scoped to editing ~/.clawdbot/clawdbot.json (or moltbot.json), creating workspace memory files, and restarting the gateway. Those actions are coherent with enabling memory. Important privacy/operational implications: it recommends indexing 'sessions' (past conversation transcripts) which can expose sensitive data to the memory index and any embedding provider, and it instructs restarting the gateway via 'clawdbot gateway restart' which performs an operational action that should be run intentionally by the user.
Install Mechanism
No install spec or code files — instruction-only — so nothing will be downloaded or written to disk by an installer step. This is the lowest install-surface risk.
Credentials
The notes tell users to set VOYAGE_API_KEY and OPENAI_API_KEY for provider errors, but the skill metadata does not declare any required environment variables or a primary credential. That mismatch reduces transparency. Requiring embedding API keys would be proportionate to the task, but they should be declared in the skill manifest so users know up-front what secrets are needed.
Persistence & Privilege
always:false (not force-included) and no persistent install actions are requested. However, the instructions explicitly direct editing agent config files and restarting the gateway; if you allow autonomous agent actions, the agent could apply these changes without further manual approval. Consider whether the agent has permission to modify those files or restart services in your environment.
What to consider before installing
This skill appears to do what it says (configure memory) but check a few things before proceeding: 1) Verify the publisher/owner — the registry ownerId and _meta.json ownerId differ, which could indicate a copy/paste or repackaging; confirm you trust the source. 2) Back up your existing ~/.clawdbot/clawdbot.json and workspace before making changes. 3) Be cautious about enabling 'sources: ["sessions"]' — that will index past conversation transcripts and can surface sensitive data to whichever embedding provider you choose. 4) Only provide VOYAGE_API_KEY or OPENAI_API_KEY to trusted providers and understand how those providers store/process embeddings. 5) If you allow the agent to act autonomously, be aware it could modify config and restart the gateway; if you want manual control, don't grant autonomous execution or run the suggested commands yourself. 6) If anything looks unfamiliar (owner mismatch, unexpected workspace paths, unfamiliar provider names), ask the publisher for clarification before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97130q9zmcsteac9e7eay2qen83c94s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.