Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Quantum Memory Graph
v0.4.0Quantum-optimized memory retrieval for AI agents. Use when building agent memory systems, replacing Mem0/LangChain memory, or needing relationship-aware reca...
⭐ 0· 53·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (relationship-aware, QAOA-backed memory graph) matches the SKILL.md usage examples and deployment guidance. However, the skill's claims (quantum hardware use, benchmark numbers) cannot be verified from the instruction-only package and the registry metadata lists no publisher or homepage. Examples also reference migrating from databases and running as a shared API server, which are plausible for a memory system but raise privacy/usage implications not discussed in the description.
Instruction Scope
SKILL.md instructs the user to pip-install an external package and shows examples that: connect to PostgreSQL for migration (psycopg2 example), run a shared API server that explicitly states 'Shared server: One instance serves all agents', and use an IBM quantum token for real hardware runs. The instructions therefore encourage operations that access external systems and shared state (databases, shared API, hardware tokens). The file does not instruct the agent itself to read arbitrary host files, but it does direct the user to perform actions that could expose or centralize sensitive data, and it references an env var (IBM_QUANTUM_TOKEN) that is not declared in the skill metadata.
Install Mechanism
There is no install spec in the registry (instruction-only), but SKILL.md tells users to 'pip install quantum-memory-graph' and to use optional extras ([api], [ibm]). Recommending a PyPI package is normal for Python libraries, but it means arbitrary code will be downloaded and executed when installed; without a homepage or publisher info, the package source and trustworthiness are unknown. This is expected for this kind of skill but increases risk compared with an auditable builtin.
Credentials
Registry metadata lists no required environment variables, yet the instructions reference IBM_QUANTUM_TOKEN for running on IBM quantum hardware. That env var is optional for hardware runs but is not declared, which is an inconsistency. The examples also show connecting to external databases (postgres connection string) and recommending shared servers, which imply needing credentials for other services even though none are declared. The skill requests or implies access to credentials that are not explicitly listed in the metadata.
Persistence & Privilege
Flags are default (always: false, agent invocation allowed). The skill does recommend a persistent shared API server and notes that the graph 'saves to disk automatically', but the skill itself does not request force-inclusion or system-level modifications in the registry metadata.
What to consider before installing
This skill is instruction-only and points you to install an external PyPI package (quantum-memory-graph) and to optionally use IBM quantum hardware and a shared API server. Before installing or deploying: 1) Inspect the actual PyPI package source (or the project's repo) to verify what code will run, which endpoints it contacts, and how it persists data. 2) Don’t run the package or shared server on systems containing private data until you confirm isolation and authorization controls—shared servers explicitly make different agents' memories available to each other. 3) Treat IBM_QUANTUM_TOKEN and any database credentials as sensitive; the metadata didn’t declare them even though the docs reference them. 4) Validate benchmarking claims and model/extra dependencies (large models require substantial RAM/GPU). If you can’t review the package source, run it in an isolated environment (container or dedicated VM) and avoid migrating sensitive production data there.Like a lobster shell, security has layers — review code before you run it.
agentsvk976p7jzah8rqqwe674t75exm984fdb6knowledge-graphvk976p7jzah8rqqwe674t75exm984fdb6latestvk976p7jzah8rqqwe674t75exm984fdb6memoryvk976p7jzah8rqqwe674t75exm984fdb6quantumvk976p7jzah8rqqwe674t75exm984fdb6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.