ClawHub

Shodh Local

v1.0.1

Local offline cognitive memory for AI agents providing semantic recall, GTD todos/projects, and a knowledge graph with Hebbian learning and a TUI dashboard.

1· 1.8k·2 current·2 all-time
by@doobidoo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly describes a local server binary (./shodh-memory-server), a data directory (./shodh-data), an X-API-Key, and a process management session (amber-seaslug). However the registry metadata lists no required binaries, env vars, or config paths. That inconsistency means the declared manifest does not match the actual runtime expectations.
Instruction Scope
Runtime instructions are focused on running and interacting with a local memory server (endpoints on localhost:3030) and are consistent with a local-first memory skill. They do ask the agent to manage the server process (e.g., `process kill amber-seaslug` + restart) and to 'recall recent context before reply'. Those process-management steps reference a 'process' tool/session that isn't described in the metadata, which expands the agent's actions beyond simple HTTP calls but does not by itself indicate exfiltration or remote endpoints.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest install risk. Nothing in the manifest attempts to download or install remote code. The SKILL.md assumes a preinstalled binary, which is fine, but that binary is not declared in the metadata.
!
Credentials
The examples and TOOLS.md reference an API key (X-API-Key) and show usage via a KEY environment variable, but the skill declares no required environment variables and no primary credential. The single credential (local API key) would be proportionate to the stated purpose, but the omission from the manifest is an inconsistency the user should resolve before trusting the skill.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It does instruct process management (killing/restarting a local session) which may require system-level access depending on how the agent executes tools; the manifest does not declare or justify such privileges. Autonomous invocation is allowed (default) but not on its own a red flag.
What to consider before installing
This skill appears to be a local memory/server integration, but the published metadata omits required pieces the SKILL.md expects. Before installing: (1) confirm where ./shodh-memory-server comes from and that you trust that binary (inspect its origin or source code); (2) ensure you understand and control the suggested X-API-Key (keep it local and do not reuse other service credentials); (3) ask the skill author to update the manifest to declare required binaries, environment variables, and any tools (e.g., the 'process' tool) so you can review privileges; (4) verify the agent will only talk to localhost:3030 and not a remote host or reverse proxy; and (5) avoid running any untrusted binaries or giving the agent system-level process control until the above are clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk975z4mm8yhm8hm4bzpn60ctqd80dc6c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments