Goldhold Skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could store or send summaries, decisions, or other context that the user did not intend to share with GoldHold.
The skill exposes documented external API operations, including a send action. This is disclosed and aligned with the GoldHold memory/messaging workflow, but it can transmit user-derived content to the provider.
POST /v1/turn -- Search + Store + Send (Main Tool) ... can search, store, and send messages in one request.
Confirm before sending messages or saving sensitive material, and keep API use limited to the documented GoldHold endpoint.
Anyone with the API key may be able to access or modify the associated GoldHold memory account, depending on the provider's controls.
The skill requires a GoldHold API key, which is expected for a hosted memory service and is disclosed in both the registry metadata and SKILL.md.
Required env vars: GOLDHOLD_API_KEY; Primary credential: GOLDHOLD_API_KEY
Store the API key only in a secret manager, avoid committing it to files or shell profiles, and rotate it if it may have been exposed.
Incorrect, sensitive, or maliciously inserted memories could be reused later and shape the agent's answers or behavior across sessions.
The skill intentionally stores and retrieves persistent memories, including directives and identity/configuration information, which can influence later sessions.
GoldHold is a persistent memory API... Store decisions, facts, and corrections... DIRECTIVE | Standing instructions or rules
Do not store secrets or highly sensitive data unless necessary, review saved memories, delete or tombstone outdated entries, and treat retrieved memories as context that must not override current user or system instructions.