ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Awareness Cloud Memory

v1.0.2

Persistent cloud memory across sessions. Automatically recalls past decisions, code, and tasks before each request, and saves summaries after each session. A...

0· 92·0 current·0 all-time
byEverest An@everest-an
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description (cloud memory) align with the code and declared requirements: node plus AWARENESS_API_KEY and AWARENESS_MEMORY_ID are exactly what the scripts use to call the remote memory API. The provided CLI scripts implement search, record, lookup, init, and setup as expected.
!
Instruction Scope
The automatic before-prompt hook (scripts/recall.js) sends the full user prompt to the remote /memories/<id>/retrieve endpoint to compute recall; the after-response hook (scripts/capture.js) POSTs session checkpoints to /mcp/events. Those automatic network transmissions are not obvious from the short description and mean your prompts (and some session metadata) are sent to an external service for every invocation. The setup script also instructs writing AWARENESS_API_KEY and AWARENESS_MEMORY_ID into shell profiles and saving credentials to ~/.awareness, which persists secrets to disk and to user shell startup files.
Install Mechanism
There is no external install/download; the skill is distributed as Node scripts only. No remote code is fetched or executed during install. setup.js and other scripts perform standard HTTP requests to the awareness.market API — not an unusual install mechanism, but it does contact an external host during setup and runtime.
Credentials
The skill requests exactly two environment variables (AWARENESS_API_KEY, AWARENESS_MEMORY_ID) which are necessary for its purpose. However, the setup flow also writes those credentials to ~/.awareness/credentials.json and attempts to append export lines to shell profile files (~/.zshrc, ~/.bashrc, etc.), which escalates persistence of secrets beyond ephemeral process environment. The scripts also read config from ~/.openclaw/openclaw.json and may probe a local daemon at the configured localUrl.
!
Persistence & Privilege
The skill is not marked always:true, but it establishes persistent presence in two ways: (1) it can write long-lived credentials to ~/.awareness/credentials.json and append env exports to shell profiles, and (2) it registers automatic hooks that will run before/after prompts. Writing to shell profiles and creating credential files affects the entire user environment and is more intrusive than keeping state only within the agent's own config.
What to consider before installing
This skill does what it says (persistent cloud memory) but it will: (a) send each prompt you submit to an external API (awareness.market or a configured endpoint/local daemon) to compute memory recall, (b) save checkpoints and any manual records to the remote memory, and (c) optionally write credentials to disk (~/.awareness/credentials.json) and append export lines to your shell profile so the credentials persist. Before installing, consider: 1) Do you want your prompts and session metadata sent to an external service? 2) Prefer manual setup: run setup.js with caution and inspect its behavior, or set AWARENESS_API_KEY and AWARENESS_MEMORY_ID yourself instead of letting the script modify your shell files. 3) Inspect ~/.awareness and any appended profile lines if you run setup; remove them if you later uninstall. 4) If the memory service is unfamiliar, verify the service's privacy/security posture or use a separate account/memory for non-sensitive work. 5) If you run a local awareness daemon (the skill probes localhost:37800), be aware the script may prefer that and bypass remote API keys — ensure any local service is trusted. If you want to proceed, review the scripts (setup.js, recall.js, capture.js) and the target API domain before granting credentials.
scripts/setup.js:61
Shell command execution detected (child_process).
scripts/shared.js:15
Environment variable access combined with network send.
!
scripts/shared.js:32
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

awarenessvk970x7zgdaq7pn18dj1wep8ke183db54cloudvk970x7zgdaq7pn18dj1wep8ke183db54latestvk970x7zgdaq7pn18dj1wep8ke183db54memoryvk970x7zgdaq7pn18dj1wep8ke183db54semantic-searchvk970x7zgdaq7pn18dj1wep8ke183db54

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
OSmacOS · Linux · Windows
Binsnode
EnvAWARENESS_API_KEY, AWARENESS_MEMORY_ID
Primary envAWARENESS_API_KEY

Comments