Back to skill
Skillv1.0.0
ClawScan security
Memos Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 28, 2026, 7:08 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions and behavior match its stated purpose (using a MemOS REST API for memory operations) but there are small coherence issues you should review before installing.
- Guidance
- This skill appears to do what it says (call a MemOS REST API to add/read/search/delete memories) and has low install risk because it is instruction-only. Before installing: (1) Confirm where MEMOS_API_URL will point — prefer a local, trusted server (e.g., http://localhost:8000) rather than an unknown remote host, because all memory read/write operations will go to that endpoint. (2) Ask the publisher to declare MEMOS_API_URL as a required environment variable in the registry metadata (the SKILL.md references it but the registry lists no required env vars). (3) Be aware the skill can delete memories and replace the agent's default memory behavior — consider limiting its use or permissions until you trust the endpoint. (4) If you must use a remote MemOS server, verify its operator and transport security (HTTPS, access controls) to avoid unintended data exposure.
Review Dimensions
- Purpose & Capability
- noteThe name/description (search/retrieve memory via MemOS) aligns with the SKILL.md endpoints (add/read/search/list/delete). However the skill uses an environment variable MEMOS_API_URL for the API base without declaring it in the registry metadata; env.json provides a default (http://localhost:8000), which is inconsistent with the declared 'Required env vars: none'.
- Instruction Scope
- noteSKILL.md contains concrete REST calls and example code limited to MemOS endpoints (add/read/search/list/delete/agents/health). It does not instruct the agent to read unrelated local files or arbitrary environment variables, but it does reference MEMOS_API_URL (not declared) and includes a hard-coded example to run a local server at a Windows path (python D:\AI\MemOS\api_server.py). No instructions direct data to unexpected external endpoints beyond MEMOS_API_URL.
- Install Mechanism
- okThis is instruction-only with no install spec and no binaries to download or run. That minimizes disk/write risk.
- Credentials
- noteThe skill does not request credentials or secrets; that is proportionate. But it implicitly depends on MEMOS_API_URL (present in env.json) while the registry lists no required env vars. If MEMOS_API_URL is pointed to a remote server, the skill would transmit memory data to that host — the registry should explicitly declare MEMOS_API_URL as a required environment variable so users can review/set it.
- Persistence & Privilege
- okThe skill does not request always:true or other elevated platform privileges. It only provides runtime instructions for calling an external API and does not modify other skills or global agent settings itself.