Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Memory Pro System
v0.0.7Enhanced AI memory system — vector store, document-level MSA, knowledge graph, collision engine, executable skills, and closed-loop skill evolution.
⭐ 0· 64·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a memory/knowledge system (vectors, KG, skill proposer). That purpose would legitimately need an LLM key and local code to run — but the registry metadata declared no required env vars or install steps, while SKILL.md/setup.md explicitly require Python + cloning and pip-installing an external repo and LLM API keys. The metadata and declared requirements are inconsistent with the instructions.
Instruction Scope
setup.md instructs cloning a GitHub repo into ~/.openclaw/workspace and pip installing it, configuring OPENROUTER_API_KEY/XAI_API_KEY or reading OpenClaw auth-profiles.json, and enabling scheduled tasks/Telegram channels. The instructions explicitly reference OpenClaw config files (auth-profiles.json, openclaw.json) and writing daily log files and post-remember hooks — actions that read and modify environment/config outside the skill's declared scope.
Install Mechanism
There is no built-in install spec in the registry; setup.md directs the user to git clone https://github.com/FluffyAIcode/openclaw-memory-pro-system and run pip install -e ., which will execute arbitrary Python package code from that repository. The GitHub repo is not pinned to a commit or release and there are no checksums — downloading and installing unpinned code is a moderate-to-high risk.
Credentials
The skill text expects LLM API keys (OPENROUTER_API_KEY or XAI_API_KEY) and will auto-detect keys in OpenClaw's auth-profiles.json. The registry metadata lists no required env vars or config paths; reading auth-profiles.json would access other OpenClaw credentials and is disproportionate to what the registry declared. The skill also suggests configuring Telegram via openclaw.json, which may expose channel tokens.
Persistence & Privilege
The system clones into the user's OpenClaw workspace (~/.openclaw/workspace), writes daily logs, can run scheduled jobs, and the architecture describes auto-generating draft skills with executable bindings (prompt_template/tool_call/webhook). That capability to create executable skills/webhooks and schedule periodic tasks increases privilege and persistence and could enable execution of new behaviors without close review.
Scan Findings in Context
[scanner:none] unexpected: The regex scanner found no code files to analyze (this is an instruction-only package). That absence is not evidence of safety: setup.md instructs fetching and installing code from an external GitHub repo which the scanner did not fetch or inspect.
What to consider before installing
This skill is not outright malicious, but several red flags mean you should proceed cautiously. Before installing or running it: 1) Review the remote GitHub repository (FluffyAIcode/openclaw-memory-pro-system) — inspect setup.py/pyproject.toml and all source files for unexpected network calls, credential harvesting, or shell execs. 2) Avoid installing directly into your primary environment — run the install in an isolated VM or container. 3) Do NOT point it at your production OpenClaw auth-profiles.json or reuse sensitive API keys; create limited-scope/test LLM keys and separate Telegram/test channels. 4) Prefer a pinned commit or official release with checksums rather than cloning an unpinned repo. 5) Audit and control scheduled tasks and any auto-generated skills/webhooks; disable automatic skill activation until you’ve reviewed what it proposes. 6) If you lack capacity to audit the repo, treat this as untrusted code and avoid installing it.Like a lobster shell, security has layers — review code before you run it.
aivk97b47d9375934f3k9135kwz4d83jw23knowledge-graphvk97b47d9375934f3k9135kwz4d83jw23latestvk97b47d9375934f3k9135kwz4d83jw23memoryvk97b47d9375934f3k9135kwz4d83jw23second-brainvk97b47d9375934f3k9135kwz4d83jw23skillsvk97b47d9375934f3k9135kwz4d83jw23
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧬 Clawdis
Any binpython3