Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
sleep-consolidation
v1.0.0Use this skill to consolidate an AI agent's daily experiences and learnings into structured long-term memory, mimicking human sleep-based memory consolidatio...
⭐ 0· 66·0 current·0 all-time
by@cshiaa
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (consolidating an agent's memories to disk) matches the included scripts: they read daily logs and MEMORY.md and write curated Markdown into a workspace. However, the skill's metadata claims no required environment variables or binaries, while the code clearly requires a Python runtime and an ANTHROPIC_API_KEY — an inconsistency between declared requirements and actual capabilities.
Instruction Scope
SKILL.md and scripts instruct the agent to load session logs and memory contents and (in flush/NREM/REM modes) send them to the Anthropic API for processing. That behavior is coherent with the skill's purpose, but it means arbitrary session content (potentially including secrets) will be transmitted to a third-party LLM. The instructions do not constrain what to redact before sending, and the skill encourages piping full session context into the API.
Install Mechanism
There is no install spec (instruction-only), so no remote binaries are downloaded. The code files are bundled with the skill, which lowers supply-chain risk vs. arbitrary downloads. Still, running bundled Python scripts writes files to disk and makes network calls, so it's not risk-free.
Credentials
The code requires an ANTHROPIC_API_KEY (used to call api.anthropic.com) and implicitly requires a Python interpreter and a writable workspace directory (default ~/.agent_workspace). None of these were declared in the registry metadata (no required env vars, no required binaries, no config paths). Requesting an LLM API key and granting read/write access to a home workspace are material privileges that should be declared and justified.
Persistence & Privilege
The skill does persistent disk writes to a workspace (MEMORY.md, memory/, bank/). It is not force-installed (always: false). It can be invoked autonomously by agents (default), which combined with network access means it could periodically send stored memories to the external API — this is expected for the skill but increases blast radius if sensitive data is stored.
What to consider before installing
Before installing: 1) Understand that the bundled scripts will read and write files under a workspace (default ~/.agent_workspace) — any data you don't want persisted or sent should not be in those logs. 2) The code sends context to api.anthropic.com and requires ANTHROPIC_API_KEY, but the registry metadata omitted that requirement; do not supply credentials unless you trust the publisher and Anthropics. 3) The metadata also didn't declare that a Python runtime is required; ensure you run the scripts in an isolated environment (container or VM) for testing. 4) If you plan to use --flush or NREM/REM modes, review session logs for secrets and consider redaction before sending; ideally run the skill with a workspace path you control. 5) Ask the publisher to update metadata to declare required env vars (ANTHROPIC_API_KEY), required binaries (python3), and the default config path, and to document any data retention/retention encryption. If you cannot verify the publisher or code, run it offline or perform a manual code audit first.Like a lobster shell, security has layers — review code before you run it.
latestvk97a7nz4k3r53eykf7x9awb2dn8451vh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.