Memory Sync CN
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: memory-sync-cn Version: 1.0.0 The skill bundle is designed for memory synchronization with a local CortexGraph system. All operations, including file access (e.g., `MEMORY.md`, `daily.md`) and tool calls (`mcporter call cortexgraph.*`), are confined to the expected OpenClaw workspace and local binaries. There is no evidence of data exfiltration, unauthorized network activity, persistence mechanisms, obfuscation, or prompt injection attempts against the agent. Input sanitization (escaping quotes) is used when passing content to `mcporter` commands. The functionality aligns with the stated purpose of an AI memory management system.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
API keys or account details stored in MEMORY.md could be copied into a searchable memory database and later surfaced to an agent or user unintentionally.
The script is designed to import every non-empty MEMORY.md section, including sections labeled as API keys and account information, into CortexGraph.
SECTION_TAGS["宏斌的 API Keys"]="api-keys" SECTION_TAGS["Moltbook 账号"]="moltbook" ... mcporter call cortexgraph.save_memory ... content="$section_escaped: $content_escaped"
Do not store secrets in MEMORY.md before using this skill, or modify the script to skip/redact API key, token, password, and account sections.
Private daily notes, mistaken entries, or adversarial text in logs can become persistent searchable memory and may influence future agent behavior.
The daily-log sync reads the whole daily memory file and persists it to CortexGraph without filtering, exclusions, or retention controls shown in the artifacts.
CONTENT=$(cat "$DAILY_FILE") ... mcporter call cortexgraph.save_memory ... content="[$DATE] $CONTENT_ESCAPED" ... source="memory/$DATE.md"
Use dry-run first, keep daily logs free of secrets and instructions from untrusted sources, and add allowlists/exclusion rules before syncing.
Running maintenance commands without review could remove or alter stored memories.
The documented maintenance commands can delete or merge memory entries. They are disclosed and purpose-aligned, but they mutate persistent memory.
mcporter call cortexgraph.gc mcporter call cortexgraph.consolidate_memories auto_detect=true mode=apply
Prefer dry-run or preview modes first, back up CortexGraph storage, and only run apply/GC commands when you are comfortable with the changes.
Installing unpinned external tools means behavior can depend on the current package versions and their supply-chain integrity.
The skill depends on external global packages from package managers, with no pinned versions or lockfile shown. This is expected for the tool integration but still affects provenance.
uv tool install cortexgraph npm install -g mcporter
Install from trusted sources, consider pinning package versions, and review cortexgraph/mcporter before syncing sensitive memories.