Skillv1.0.0

ClawScan security

memory-system · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 3:29 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (Postgres + pgvector-based long-term memory) matches its description, but the code and SKILL.md have inconsistent/undocumented requirements (hardcoded DB creds, implicit binaries, hardcoded local embedding endpoint) and a few risky patterns that should be resolved before trust.
Guidance: This skill mostly does what it says (archives local markdown memories into Postgres and performs vector/semantic search), but there are several red flags you should address before installing or running it on sensitive data: - The scripts assume psql and curl are available and a local embedding service at http://localhost:11434; those requirements are not declared. Ensure you understand and control those services. - The code hardcodes the DB username ('damien') and ports; it lacks environment-variable configuration. Prefer changing the scripts to accept DB credentials via secure env vars or a config file before use. - The archiver reads ~/.openclaw/workspace/memory and will import file contents into a database. Only run it if you trust the source and the destination DB. If the local embedding service proxies requests externally, your data could be sent outside your machine. - The import uses naive string interpolation to build SQL passed to psql; this is brittle and could lead to SQL quoting issues or injection-like problems for unusual content. Use parameterized inserts or a DB client library instead. If the author can (a) declare required binaries/env vars, (b) make DB and embedding endpoints configurable through env vars, and (c) fix SQL parameterization, the skill would be much safer. Until then, run it in a controlled/non-sensitive environment and review/modify the scripts yourself.

Review Dimensions

Purpose & Capability: concernThe declared purpose (structured + vector memory with Postgres/pgvector and local embeddings) is coherent with the code. However the skill listing declared no required binaries or env vars, while the scripts assume psql, curl, and a local embedding service on localhost:11434 and use a hardcoded DB user 'damien' and ports 5432/5433. The lack of declared requirements/configuration is a mismatch and reduces transparency.
Instruction Scope: noteInstructions and scripts explicitly read local files under ~/.openclaw/workspace/memory and insert/archive them into local Postgres — this is within the stated purpose. The vector search posts queries to a hardcoded local embedding API (http://localhost:11434/api/embeddings). There is no evidence of external network exfiltration beyond the local embedding call, but if that local service proxies externally it could leak content.
Install Mechanism: okNo install spec (instruction + small scripts) — lowest-risk install mechanism. Nothing is downloaded or extracted by the skill itself.
Credentials: concernNo required env vars or credentials were declared in metadata, yet the code hardcodes database access (user 'damien', ports 5432/5433) and assumes presence of psql and curl. This is disproportionate: either required env/binaries should be declared or credentials/parameters should be configurable (env vars or config file). Hardcoded credentials reduce safety and transparency.
Persistence & Privilege: okalways:false and the skill does not request system-wide persistence or modify other skills. It runs local file I/O and subprocesses but does not request elevated or persistent platform privileges.