ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Memory Hub

v1.0.0

Multi-agent shared memory protocol. Syncs a shared GitHub repo containing USER.md (owner preferences/habits), KNOWLEDGE.md (common knowledge), RULES.md (univ...

0· 33·0 current·0 all-time
by@dr23334444
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to sync a shared GitHub repo of USER.md/KNOWLEDGE.md/RULES.md/TOOLS.md and the included install script implements cloning, pulling, committing and pushing those files — this aligns with the stated purpose. However the SKILL.md and the script use different directory names/locations (SKILL.md refers to ~/.openclaw/shared-memory and to a skills path ~/.openclaw/skills/shared-memory/scripts/install.sh, while the script uses ~/.openclaw/memory-hub and is present at scripts/install.sh). The mismatch in naming/paths is an inconsistency that could cause confusion or mis-installation.
!
Instruction Scope
The runtime instructions (SKILL.md) and the install script request git pulls/pushes, reading and writing of several files under ~/.openclaw, and optionally edit AGENTS.md to add a startup instruction. Editing AGENTS.md is a system-level change (even though the script prompts for confirmation). The SKILL.md also describes '静默' periodic syncs and automatic 'heartbeat' triggers but the provided script does not install any daemon/cron; that leaves the mechanism for silent sync ambiguous and grants the agent broad discretion. The instructions require reading repository files into the agent context (expected) but will cause content to be committed and pushed to the remote repo when writing, which can transmit local content to the remote.
Install Mechanism
This is instruction-only with a bundled shell install script; there is no external download or archive extraction. The script uses only local git and python3 commands and writes files under the user's home. No high-risk install mechanism (no remote binary download) is present. Still, the registry metadata declared no required binaries but the script clearly depends on git and python3 (and git auth setup).
!
Credentials
The skill declares no required environment variables or primary credential, yet performs git clone/push operations which will rely on the user's Git credentials or configured auth tokens. The manifest did not declare required binaries (git, python3) even though they are needed. The lack of explicit credential requirements is not necessarily malicious, but means users should be careful: pushing to a remote repo will use whatever git credential state exists (SSH key, credential helper, or cached username/password), potentially exposing content to the repo owner.
!
Persistence & Privilege
always is false (good), but the install script can modify AGENTS.md (a workspace/startup file for agents). Although the script asks for user confirmation before writing to AGENTS.md, the modification is a system-level change beyond the skill's own config files. The skill will also perform git commits and pushes to the configured repo, giving it the ability to transmit repository and initialization files to the remote. There's no install-time persistence beyond files created under ~/.openclaw/memory-hub and workspace cache, but modifying AGENTS.md and automatic 'silent sync' behavior (as documented) increases its operational footprint.
What to consider before installing
Key things to consider before installing: - Trust the repo: the install script will clone and may push to the repo URL you provide. Only use a repo you control and trust; prefer a private repo. If an attacker controls the repo, they can receive whatever this skill pushes. - Backup AGENTS.md: the installer can modify your AGENTS.md startup instructions. Back up that file before allowing the script to auto-edit, or choose 'n' at the prompt and add the instruction manually. - Verify paths: SKILL.md and the script use different paths/names (shared-memory vs memory-hub). Confirm where files will be written (~/.openclaw/memory-hub by the script) and that this matches your expectations. - Ensure git/python3 available: the registry did not declare required binaries, but the script requires git and python3. Confirm your environment has them and that your git auth is configured the way you intend (SSH key vs credential helper vs token). - Review push behavior: the script commits initialized files and attempts to push. If you want read-only syncing, consider using a repo access method that prevents pushes (or review and edit the script to remove automatic pushes). - Clarify automatic syncs: SKILL.md mentions silent periodic syncs triggered by 'heartbeat' but the script does not install a daemon. Ask the author how periodic syncs run and whether those operations will be visible to you. - Author/source verification: the skill's source is unknown. If possible, request the skill author to resolve the path/name inconsistencies and to document required binaries and exact behavior for automatic syncing and AGENTS.md edits. If you proceed, run the install script interactively, deny automatic AGENTS.md edits until you've inspected the change, and inspect the created config.json and cache files. If anything seems unexpected, remove the ~/.openclaw/memory-hub and workspace files and revert AGENTS.md from your backup.

Like a lobster shell, security has layers — review code before you run it.

latestvk975596s1b6rzwqx961gc987kh840dp2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments