ClawHub

Noverload - Knowledge Memory

v1.0.0

Give your agent a searchable knowledge brain - semantic search, topic synthesis, and action tracking across your saved YouTube videos, articles, Reddit threads, X posts, and PDFs

1· 1.9k·0 current·0 all-time
by@drewautomates
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill name/description (personal knowledge memory, search, summaries) aligns with what the SKILL.md describes. The token-based access to a user's Noverload account is appropriate for this purpose. However, the registry metadata declares no required env vars or primary credential even though SKILL.md clearly requires an NOVERLOAD_TOKEN; that mismatch should be corrected.
Instruction Scope
SKILL.md instructs the agent to spawn an MCP helper via `npx -y noverload-mcp@latest` and to provide NOVERLOAD_TOKEN (via config). The instructions stay within the stated purpose (searching/saving your saved content), but they also describe optional write capabilities (readOnly: false) that allow the agent to save URLs, add tags, and complete action items in your external account — those are powerful actions and the user must explicitly enable them. The instructions do not ask the agent to read unrelated system files, but they do require placing a token in ~/.openclaw/openclaw.json or an env var.
!
Install Mechanism
There is no packaged install spec in the registry, but the skill's runtime instructs the agent to run `npx -y noverload-mcp@latest`. That will fetch and execute code from the public npm registry at runtime. Using `@latest` and `-y` means the agent will run the most recent package without an explicit pinned version or local review — this is moderate risk because arbitrary code will be downloaded and executed on demand. Prefer a pinned, reviewed release or an explicit install path.
!
Credentials
The skill needs a personal access token (NOVERLOAD_TOKEN) to access the user's Noverload account, which is proportionate to the described capability. But the skill metadata did not declare this required env var or a primary credential — that's an inconsistency. Also note that turning off read-only mode gives the agent write permissions to your external account, which is justified by the feature but should be enabled deliberately and with least privilege.
Persistence & Privilege
The skill is not always-enabled (always: false) and can be invoked by the user or autonomously by the agent (normal). It does not request persistent modifications to other skills or system-wide settings. The only notable privilege is the optional ability to let the agent write to your Noverload account (via readOnly:false) — that is a feature, not a hidden escalation, but it should be enabled knowingly.
What to consider before installing
This skill appears to do what it says (connect your OpenClaw agent to your Noverload account), but there are a few things to check before installing: - The SKILL.md requires a NOVERLOAD_TOKEN but the registry metadata doesn't list it — expect to provide that token in ~/.openclaw/openclaw.json or as an env var. Confirm token scope and be prepared to revoke it if needed. - The skill runs `npx -y noverload-mcp@latest` at runtime, which downloads and executes the latest package from npm. That is convenient but runs remote code without a pinned version. If you care about supply-chain risk, ask the publisher to pin a specific version or provide a vetted package, or inspect the noverload-mcp package source before allowing the skill to run. - By default the skill is read-only; only enable readOnly:false if you trust the agent's automated actions (it will be able to save URLs, add tags, and mark tasks in your Noverload account). - Confirm the privacy claims with the vendor (where data is processed and what metadata is sent). If you want extra caution, create a limited-scope token or test with a sandbox account first. Given the metadata omission and the runtime fetch-and-execute behavior, proceed only after verifying the token requirement and the npm package/version you will allow the agent to run.

Like a lobster shell, security has layers — review code before you run it.

bookmarkvk97bmf6w7k5dcc1y5rg33f37yx80bwhtknowledgevk97bmf6w7k5dcc1y5rg33f37yx80bwhtlatestvk97bmf6w7k5dcc1y5rg33f37yx80bwhtlearningvk97bmf6w7k5dcc1y5rg33f37yx80bwhtmcpvk97bmf6w7k5dcc1y5rg33f37yx80bwhtmemoryvk97bmf6w7k5dcc1y5rg33f37yx80bwhtproductivityvk97bmf6w7k5dcc1y5rg33f37yx80bwhtsearchvk97bmf6w7k5dcc1y5rg33f37yx80bwht

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments