Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AgentRecall

v3.3.17-1

Persistent compounding memory for AI agents. 6 MCP tools: session_start, remember, recall, session_end, check, digest. Auto-naming, feedback loop, correction...

⭐ 0· 77·0 current·0 all-time

byMemijashi@goldentrii

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

Capability signals

CryptoRequires walletCan make purchasesRequires OAuth tokenRequires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The name/description align with the included code and tools: it implements local persistent memory (journals, palace rooms, awareness, digests) and provides MCP tools (session_start, remember, recall, session_end, check, digest). The presence of a large Node codebase (SDK, MCP server, CLI, benchmarks) is coherent with the described capability. However registry metadata claimed 'No install spec / instruction-only' while SKILL.md contains an install block (npx agent-recall-mcp) and the package includes full source — this mismatch is unexpected and worth noting.

Instruction Scope

SKILL.md instructs actions beyond the declared scope: it tells humans/agents to read git diffs, write command snippets into other tools' config locations (e.g., ~/.claude/commands, .vscode/mcp.json, ~/.codeium/windsurf/mcp_config.json, ~/.hermes/config.yaml), and to scan project directories and capture logs. Those actions touch files and dotfiles outside the stated read-write area (~/.agent-recall/) and require broader filesystem access than declared. The instructions also include curl commands to download scripts from raw GitHub URLs.

Install Mechanism

SKILL.md and README show install flows that fetch code from the network (npx -y agent-recall-mcp, curl raw.githubusercontent.com). Yet the skill's embedded 'security' block claims network: none and telemetry: none. The real install uses npm (npx) and GitHub raw URLs — moderate-to-high risk relative to the claimed 'no-network' posture. npm packages are common and traceable, but the contradictory declaration is a red flag. Also the shipping of a full node project with package-lock.json suggests code will run locally; inspect package.json and any postinstall scripts before running.

ℹ

Credentials

The skill does not request cloud credentials or environment variables, which is appropriate for a local-first memory tool. The codebase reads common env values like HOME and supports configuring a root path (AGENT_RECALL_ROOT), which is reasonable. However, the mismatch between declared filesystem constraints (~/.agent-recall only) and instructions to write/read other agent config files is disproportionate and should be reconciled.

Persistence & Privilege

always:false (good), and model invocation is allowed (normal). But the runtime instructions and README propose writing to other agents' config locations (~/.claude/commands, .vscode, ~/.hermes, etc.) and adding CLI command files — this implies modifying other tool configurations and user dotfiles, which is a significant privilege and should be an explicit, deliberate user action. The skill does not declare this filesystem scope up front.

Scan Findings in Context

[system-prompt-override] unexpected: A pre-scan flagged prompt-injection / system-prompt-override patterns in SKILL.md. The SKILL.md contains many agent-facing instructions; this may be a false positive, but it's worth reviewing SKILL.md for any text that attempts to override agent/system prompts or provide privileged instructions to the host agent.

What to consider before installing

Plain-language checklist before installing or enabling this skill: 1) Resolve the contradictions: SKILL.md claims 'no network' and 'read-write ~/.agent-recall only' but the install and usage instructions require network access (npx, curl) and write to other dotfiles (e.g., ~/.claude/commands, .vscode settings). Treat those claims as inaccurate until verified. 2) Inspect the package you will install: check the npm package (agent-recall-mcp, agent-recall-sdk, agent-recall-cli) and the GitHub repo mentioned in README. Look at package.json for postinstall scripts, network calls, and any code that spawns child processes or contacts external endpoints. 3) Don't run curl/npx commands as-is on your main system. Run installs in a disposable container or VM first, or review the fetched code before executing. Prefer to clone the repo and read scripts locally before running. 4) Back up any dotfiles before following the README's install steps that write to ~/.claude/, ~/.vscode/, ~/.hermes/, etc. The skill's recommended edits to other agents' config are powerful and should be done only with explicit consent. 5) Verify local-only behavior: if you need strictly offline/no-network memory, confirm by auditing runtime code paths that no telemetry or network calls exist at runtime (search for fetch/http/axios/request, sockets, child_process.exec that performs curl/npx, and any remote URLs in the source). 6) Review tests/benchmarks and sample data: the repository includes benchmark scripts that will read HOME and write to ~/.agent-recall-benchmark — verify where data is written and whether any sensitive files are referenced. 7) If unsure, ask the maintainer or consult the public npm/GitHub pages for community reviews. The package lists MIT license and appears to be an open source project, but the registry metadata inconsistencies justify extra caution. If you want, I can: (a) list specific files/strings to inspect (postinstall, network calls), (b) scan package.json and scripts for suspicious commands, or (c) produce a short checklist of exact lines/paths to back up before installing.

packages/cli/README.md:560