ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Engram Memory

v2.1.0

Persistent semantic memory for AI agents. Store, search, recall, and forget memories across sessions using Qdrant + FastEmbed.

0· 136·0 current·0 all-time
byengram@escapethefate1991
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with the repository contents: code, scripts, and docs implement a Qdrant + FastEmbed local memory system and an OpenClaw plugin that auto-recalls and auto-captures memories. Minor inconsistency: registry metadata lists this as instruction-only (no install spec) but the package includes many executables, Docker manifests, and server scripts — i.e., it's not purely instruction-only.
Instruction Scope
SKILL.md instructs the agent/operator to run scripts/setup.sh and docker-compose to deploy Qdrant and a FastEmbed service, to add the plugin to openclaw.json, and to enable autoRecall/autoCapture. Those instructions legitimately relate to the memory purpose, but the plugin's lifecycle hooks (before_agent_start/after_agent_response) mean the skill will automatically read conversation content and inject stored memories into agent context (privacy-sensitive behavior). The docs claim context queries are scoped to .context/, but the context tools also try to discover project roots and will read or index files under project directories when initialized.
!
Install Mechanism
There is no formal install spec in the registry, yet SKILL.md and scripts run a setup that uses docker-compose and will pull Docker images (notably engrammemory/fastembed:1.0.0). Pulling and running third‑party container images from an unverified/unknown publisher is higher risk because those images could run arbitrary code. The repo includes a Dockerfile for fastembed (suggesting you can rebuild), but the default docker-compose references published images.
Credentials
The skill does not request environment variables or cloud credentials in registry metadata. Runtime configuration is local URLs (qdrantUrl, embeddingUrl) and optional model names. This matches the stated local/self‑hosted design. However several scripts and services read config files and may respect environment variables if present (e.g., EMBEDDING_URL / MODEL_NAME) — nothing appears to require unrelated cloud credentials.
Persistence & Privilege
always:false (good). The plugin is designed to integrate into the agent lifecycle and, when enabled, will automatically recall memories before responses and capture conversation content after responses. That autonomous storage behavior is expected for a memory plugin but is privacy‑sensitive; combined with the fact that setup pulls and runs code (containers), it increases the potential blast radius if you haven't audited the code or images.
Scan Findings in Context
[system-prompt-override] unexpected: A prompt-injection pattern was flagged in the SKILL.md pre-scan. The visible SKILL.md explains auto-injection of memories into agent context (which can modify the agent's input), so the detection may be a heuristic match — still worth manual review to ensure the skill does not include instructions to override system prompts or subvert agent controls.
What to consider before installing
What to check before installing or running this skill: - Do not run setup scripts or docker-compose in a sensitive production environment until you audit them. The provided setup pulls Docker images (engrammemory/fastembed) from an external registry; pull/rebuild images locally from the included Dockerfile if you want to avoid running untrusted images. - Review scripts/setup.sh and docker-compose.yml to see exactly what containers and network ports will be created. Prefer running in an isolated VM or disposable machine the first time. - Inspect docker/fastembed/Dockerfile and the fastembed service code for any unexpected network calls or telemetry. The README claims 'no phone‑home', but confirm by grepping the repo for outbound HTTP requests and external domains (e.g., engrammemory.ai) before trusting it. - If you are concerned about privacy, disable autoCapture and autoRecall in the plugin config (set autoCapture=false and autoRecall=false) or limit them until you’re comfortable with behavior; check where conversation content is stored (Qdrant collection) and how retention/forgetting works. - Audit mcp/server.py and any server scripts for open network bindings; if you expose an MCP server, bind to localhost or restrict access via firewall. - If you lack the expertise to audit containers and Python/JS code, run the stack in an isolated environment (VM) and observe network egress (e.g., with a network monitor) to ensure nothing phones home. Taken together: the functionality matches the stated purpose, but because the skill will pull and run third‑party containers and can automatically persist conversation content into a local store, treat it as potentially risky until you've inspected or rebuilt the images and confirmed no unexpected external communications.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fcxgz58brh947r3v3dy0cg183wscq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments