Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Inkwell
v1.0.0Bootstrap a complete 3-layer memory system for any OpenClaw agent. PARA knowledge structure, QMD search integration, daily consolidation cron, transcript ver...
⭐ 0· 17·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared registry name is Inkwell but the SKILL.md header identifies the skill as 'mindkeeper' — a naming mismatch that could be benign (rename) or indicate sloppy/repurposed content. Overall the requested actions (create PARA directories, add templates, configure QMD, cron jobs, transcript handling, sign-off) align with a memory bootstrapper, so required capabilities appear proportionate to the described purpose.
Instruction Scope
The runtime instructions ask the operator/agent to: create and write many workspace files, install and configure a local search sidecar (QMD), add cron jobs that run model calls, modify AGENTS.md or system prompts (explicitly suggested in transcripts.md), and optionally run 'openclaw gateway stop' as part of sign-off. Modifying system prompts / AGENTS.md and stopping the gateway are sensitive operations that change agent behavior and availability — these steps are within scope for a memory system but could be misused if applied automatically or without human review.
Install Mechanism
This is instruction-only with one included setup script (scripts/setup.sh). The skill recommends installing QMD via bun or npm and references curl install for bun (https://bun.sh/install) — both are common package install flows. There is no packaged install spec (no automated download/archive embedded in the skill). This is moderate-risk but expected for a local tooling bootstrapper; users should still inspect and vet the external install commands before running them.
Credentials
The skill requests no environment variables, no credentials, and no config paths. Templates and docs mention storing 'key' information in files, but the skill does not require or attempt to read external secrets. The lack of requested secrets is proportional to the stated purpose.
Persistence & Privilege
always:false and no special privileges are requested. However, the sign-off routine includes an (optional) gateway stop command and cron job instructions that invoke models autonomously. If the agent is allowed to act autonomously, these features could cause downtime or unexpected model calls; ensure the 'confirm with human' requirement is enforced in your agent policies before enabling autonomous execution.
Scan Findings in Context
[system-prompt-override] expected: The SKILL.md / references explicitly suggest adding guidance to AGENTS.md or the system prompt (e.g., for transcript handling). That is relevant to ensuring correct behavior for a memory system, but changing system prompts is sensitive because it can alter agent behavior globally. Treat suggested prompt edits as security-relevant configuration changes and review them manually.
What to consider before installing
What to check before installing or running this skill:
- Verify source and identity: the skill registry name is 'Inkwell' but the internal SKILL.md calls it 'mindkeeper'. Confirm you trust the author before running any scripts.
- Inspect and run the setup script in a safe environment first (non-production workspace). scripts/setup.sh is idempotent and creates files, but always review before execution.
- Be cautious with the recommended external installs: QMD via bun/npm and the bun installer (https://bun.sh/install). Only run those commands if you trust the upstream packages; prefer installing via your vetted package manager or reviewing package code.
- Do not automatically apply suggested AGENTS.md or system-prompt edits. The docs explicitly encourage adding prompt guidance; modifying system prompts can permanently change agent behavior — apply these edits only after manual review.
- Confirm the sign-off flow: the skill includes an optional 'openclaw gateway stop' step. Ensure any automation enforces an explicit human confirmation (do not let an agent autonomously stop gateways unless you accept that risk).
- Audit cron/cron-like jobs and model calls (they will incur model usage). Make sure schedules, channels and model selection match your cost and privacy constraints.
If you want higher assurance: ask the author for provenance (homepage, repo), or run the setup in an isolated test instance and monitor behavior before applying to your main agent workspace.references/transcripts.md:66
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
knowledge-managementvk974ny393apm1nxygc33bt90n984cdmvlatestvk974ny393apm1nxygc33bt90n984cdmvmemoryvk974ny393apm1nxygc33bt90n984cdmvparavk974ny393apm1nxygc33bt90n984cdmvqmdvk974ny393apm1nxygc33bt90n984cdmv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.