ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

hippocampus

v1.0.3

Photon: AI-enhanced memory system that FIXES human memory flaws. NO DECAY - AI never forgets. Features: tool success tracking, project checkpoints, failure p...

1· 186·0 current·0 all-time
by@gabe-luv-nancy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the included files: a local memory system implemented in scripts/memory.py. Asking users to run python3 scripts/memory.py init/status is consistent with the purpose. However, skill.yaml grants 'exec' permission and README examples show micro→macro workflows that mention running system commands (git push, tests, notify via Slack) and cron entries that execute the script — these increase capability beyond passive memory storage and should be expected only if the skill legitimately needs to execute user workflows.
!
Instruction Scope
The SKILL.md and README instruct the agent/user to initialize and run the included Python script and to configure cron jobs that will run it periodically. The USER_CONFIG and code indicate the skill can scan filesystem paths (FILE_SCAN_PATHS default ./workspace, and that list is user-editable) and auto-save session contents. Proactive triggers/heartbeat will read recent user messages to decide which memories to load. These behaviors are coherent with a memory system but do grant the skill access to local files and ongoing message streams; if the skill executes workflows or shell commands (unclear from truncated code), it could run arbitrary actions. The instructions also allow reloading config automatically after edits — giving the skill runtime control over behavior.
Install Mechanism
There is no install spec — the package is instruction + script based and asks the user to run the Python script manually. That is lower risk than downloading and running remote binaries. The user must run init/status and optionally add cron jobs themselves; nothing is remotely fetched during install.
Credentials
No environment variables or external credentials are requested by the metadata. That is proportionate. However, the skill.yaml requests generic permissions (read, write, exec) and the code is capable of scanning configured filesystem paths and storing indexed memories. The combination of exec permission + examples that run system commands means the skill may be able to execute actions outside mere data storage if the code implements that; verify whether workflows are purely stored metadata or are executed.
Persistence & Privilege
always:false (no forced permanent inclusion). The README encourages adding cron jobs (persistence scheduled by user). That is user-driven rather than automatic. The skill does not declare it will modify other skills or system-wide agent settings, but it does ask to run periodic jobs and has exec permission — review cron setup and make sure it's only added intentionally and pointed to an isolated path.
Scan Findings in Context
[no_regex_findings] expected: Static pre-scan reported no injection signals. Absence of regex matches is not sufficient to conclude safety — the Python script and config behavior must be reviewed manually for command execution and filesystem access.
What to consider before installing
Before installing or enabling this skill, consider these checks: 1) Inspect scripts/memory.py fully (search specifically for os.system, subprocess, eval, exec, or other code that runs shell commands). If micro→macro workflows are implemented as executable actions, they can run arbitrary commands. 2) Run init and status in an isolated test environment (not your primary workspace) to see what files/directories are created and what network or system actions occur. 3) Review and restrict USER_CONFIG.md FILE_SCAN_PATHS to directories you are comfortable indexing (do not point to / or your home directory) and set FILE_EXCLUDE_PATHS to protect sensitive folders. 4) Do not add the recommended cron jobs until you confirm the script's behavior; if you add them, point them to an isolated environment. 5) If you want stricter safety, disable AUTO_SAVE, PROACTIVE_TRIGGERS, and READINGBETWEENTHELINES before running. 6) If you cannot audit the code or find evidence that workflows execute shell commands, treat the skill as potentially executing actions and limit its filesystem scope and scheduling. If you want, provide the remainder of scripts/memory.py (truncated here) and I can check for command execution and network calls specifically.

Like a lobster shell, security has layers — review code before you run it.

Photonvk97ft9rfatabg8fwaa91crw7k1833nzzlatestvk972c6m8p0vgwvhr1j095hn7y583jm1c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments