Back to skill
Skillv1.0.3
ClawScan security
Coral Memory (Deprecated) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 12, 2026, 7:12 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is a deprecated placeholder pointing users to another package, but its declared runtime requirements (CORAL_API_KEY, curl, python3) do not appear in the provided instructions, creating a mismatch that deserves caution.
- Guidance
- This skill is deprecated and simply points to persistent-agent-memory. Its metadata declares an API key and binaries but the README contains no code or instructions that use them — likely stale metadata. You don't need to install this skill; instead install the recommended persistent-agent-memory. If you consider installing anyway, verify why CORAL_API_KEY would be required (check the replacement skill's docs), and only provide that key if you trust coralbricks.ai and understand what data the service will store and transmit.
Review Dimensions
- Purpose & Capability
- noteName/description claim a memory service; requesting a single CORAL_API_KEY and common tools (curl, python3) is plausible for a remote memory API. However, the SKILL.md contains only a deprecation notice and no runtime usage or examples that would justify those requirements, so the declared requirements are unexplained.
- Instruction Scope
- concernThe SKILL.md provides only a deprecation message and a pointer to install persistent-agent-memory. It does not include any runtime instructions that use CORAL_API_KEY, curl, or python3. That gap means the declared instruction surface and the declared requirements are inconsistent.
- Install Mechanism
- okThere is no install spec and no code files; this instruction-only skill makes no filesystem or network installs itself, which is low risk.
- Credentials
- noteRequesting one service-specific API key (CORAL_API_KEY) is proportionate for a memory service. But because the SKILL.md does not show any usage that needs that key, the request is unexplained — either the metadata is stale or the skill would use the credential when invoked elsewhere.
- Persistence & Privilege
- okThe skill does not request always:true and has no install actions that would grant persistent system privileges; autonomous invocation is allowed by default but not combined with other red flags here.