ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Raven Memory

v1.0.1

Persistent causal memory for AI agents. Raven records everything your agent does as a causally-linked chain, including decisions, tool calls, parallel work,...

0· 72·0 current·0 all-time
byH.A@has9800
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: this is a local SQLite-backed causal memory (DAG) with optional semantic search/embeddings. Embedding-related deps (sentence-transformers, sqlite-vec) are consistent with the semantic-search feature. Minor mismatch: requirements.txt lists many extra heavy packages (torch, transformers, langgraph, datasets, etc.) beyond the pyproject's declared dependency, which is broader than the visible code needs and increases installation footprint.
!
Instruction Scope
SKILL.md explicitly instructs you to modify the agent system prompt (call raven_start_session at the start and inject returned summary). That is expected for a memory plugin, but the pre-scan flagged a system-prompt-override pattern — altering the system prompt is a powerful action that increases attack surface and can be abused if the skill (or its inputs) were malicious. The runtime instructions otherwise stay within the memory scope (record/search/end/rollback) and do not ask the agent to read unrelated files or credentials.
Install Mechanism
No install spec in the registry (instruction-only), but the package contains pyproject.toml and a console script entrypoint. SKILL.md recommends pip install raven-memory (and optional extras). This will pull heavy native packages (torch, sentence-transformers) and may download model weights from external hosts at runtime (embedder loads SentenceTransformer). Loading sqlite-vec is implemented via sqlite extension loading. These native/networked components are expected for semantic search/embeddings but increase risk compared with a pure-Python or no-install skill.
Credentials
The skill requests no secrets or cloud credentials. Environment variables (RAVEN_DB_PATH, RAVEN_N_RECENT, RAVEN_N_SEARCH) are documented and relate directly to local DB path and tuning. The code writes a local DB (~/.raven/raven.db) and optionally loads native sqlite-vec; no API keys or unrelated credentials are requested.
Persistence & Privilege
The skill persists long-term local data (SQLite DB) and suggests adding itself to agent startup behavior/system prompts so session summaries are auto-injected. It does not set always:true and does not change other skills' configs programmatically. The persistence of potentially sensitive conversation/tool outputs to a shared ~/.raven/raven.db (shared across agents if configured) is a privacy consideration.
Scan Findings in Context
[system-prompt-override] expected: The skill explicitly asks you to modify the system prompt to call raven_start_session and inject the returned summary. That is normal for a memory plugin, but it was flagged because modifying system prompts increases risk if the skill or its stored data were malicious or crafted to influence agent behavior.
What to consider before installing
What to consider before installing: - Trust & provenance: the registry metadata lacked a homepage/source; pyproject points to a GitHub repo. Verify the package source (PyPI vs repository) and review the repo/maintainer before pip installing. - Prompt modification risk: the skill asks you to change your agent's system prompt so it always calls the memory tool at session start. That is required for persistent memory but also broadens the skill's influence. Only add these instructions if you trust the code. - Data & privacy: Raven stores all recorded events in a local SQLite file (~/.raven/raven.db) which can contain sensitive user messages and tool outputs. If you have secrets or private data, restrict file permissions, consider disk encryption/SQLCipher, or avoid enabling semantic embeddings which may cache richer content. - Network/native components: semantic search uses sentence-transformers and sqlite-vec. SentenceTransformer will likely download model weights (network) and torch is a heavy native dependency. Be prepared for large downloads and native binaries; if you want to avoid network/model downloads, skip the 'vec' feature. - Dependency mismatch: requirements.txt lists many heavy/unreferenced packages. Prefer installing from a verified source and review the package's pyproject/requirements to avoid unexpected installs. - Testing: run the MCP server in an isolated environment first, and inspect the created DB contents. Review code (mcp_server, store, dag) yourself — no obvious exfil endpoints appear in the provided files, but embeddings/model downloads and loading a SQLite extension are actions with extra risk. - If unsure: install and test in a disposable VM/container, or request the upstream repository URL and a maintainer identity before enabling in production.
!
skill.md:65
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk970fhexbwjcdqjhr0rrwm1bcs83nwwg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments