Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
SeekDB Memory Setup
v0.2.2为 OpenClaw 安装云端 m0 记忆插件。当用户提供 Access Key(以 ak_ 开头)或提到「配置云端记忆」「安装记忆插件」「setup memory」时使用此 skill。
⭐ 0· 64·0 current·0 all-time
byRongfeng Fu@frf12
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (installing m0 cloud memory for OpenClaw) align with the actual actions: validating service endpoints, creating an API key, running clawhub install, and writing the host CLI's JSON config. Requested binaries (curl, node) are plausible for the described flows (HTTP calls + atomic JSON write).
Instruction Scope
Instructions include filesystem inspection (scanning $HOME/.* for CLI config JSONs), performing network calls to the service endpoint, creating/updating the host CLI config file, and optionally writing a BOOT.md with notification channel/target. Those actions are necessary for installing/configuring a plugin but they require write access to the host CLI config and read access to dotfile configs; user confirmation is required in some branches. This scope is appropriate for a plugin installer but is intrusive relative to typical read-only helper skills.
Install Mechanism
The skill is instruction-only (no install spec). At runtime it may run 'npm i -g clawhub' if clawhub is missing, which installs a global npm package. No obscure or external download URLs are used in the instructions. Because installation happens at runtime via npm, users should be aware a global npm install may occur.
Credentials
The skill does not request unrelated environment variables or credentials. It asks for an Access Key (ak_...) only because the m0 service requires it, and the instructions include creating one via the service's API. No extra service tokens or secrets are demanded.
Persistence & Privilege
The skill writes to the host CLI's JSON config and triggers the host Gateway to restart (expected for plugin enabling). It does not request 'always: true' nor modify other skills' configurations. Because it modifies host configuration and relies on a restart, the user should accept that the installer will change persistent host state.
Assessment
This skill appears to do what it claims (install/configure the m0 cloud-memory plugin), but it is intrusive: it will scan dotfiles under $HOME to locate the host CLI config, perform network calls to the provided endpoint, may create an API key, run npm to install clawhub if missing, and atomically overwrite the host CLI's JSON config (causing the Gateway to restart). Before using it: 1) verify the {ENDPOINT} is a trusted service and not a malicious host; 2) back up the host CLI config file (e.g., copy {CLAW_CMD}.json) so you can restore it if needed; 3) be aware a global 'npm i -g clawhub' may be executed—audit or run it manually if you prefer; 4) confirm you trust the person/service that will receive BOOT.md notifications (channel/target); 5) if you want more assurance, ask the publisher for a homepage or source repo so you can inspect code and confirm the API semantics. If any of these are unacceptable or you lack trust in the endpoint, do not run the configuration steps that write the CLI config.Like a lobster shell, security has layers — review code before you run it.
latestvk973gyncqn02r51ggps200226n84g6at
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧠 Clawdis
Binscurl, node