ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

mia

v1.0.1

MIA (Memory-Intelligent Assistant) - 智能记忆助手系统,通过记忆、规划、反馈三模块让OpenClaw具备经验学习能力

1· 32·0 current·0 all-time
byJingyangQiao(SII)@jingyangqiao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (memory, planner, feedback) align with the included code files (memory/, planner/, feedback/) and the required binary (node). The planner contacting an LLM API is expected. However the registry metadata marks many env vars as required (including MIA_PLANNER_API_KEY, MIA_PLANNER_URL, MIA_PLANNER_MODEL) even though the SKILL.md and code show the API key is only needed when MIA_PLANNER_MODE=api and local mode is supported. This mismatch is disproportionate to the stated purpose.
Instruction Scope
Runtime instructions and provided SKILL.md limit actions to: calling the planner (local or API), reading/writing JSONL files for memory and feedback, and generating plans. The skill will read/write files under its own directories (memory.jsonl, feedback.jsonl) — this is expected but should be noted. There are no instructions to read unrelated system files or environment variables beyond the declared ones. One functional issue: the memory code references an extractPattern() function that is not defined, which could cause runtime errors and unpredictable behavior in similarity calculation.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but package.json and SKILL.md instruct running npm install (which will pull node-fetch from npm). This is common for Node-based skills; risk is moderate and standard (no external arbitrary downloads or obscure URLs).
!
Credentials
The skill metadata lists many required env vars unconditionally: MIA_PLANNER_API_KEY, MIA_PLANNER_URL, MIA_PLANNER_MODEL, etc. In code and SKILL.md the API key is only required when MIA_PLANNER_MODE=api (local mode does not require it). Declaring the API key and URL as always required is disproportionate. Also the skill will store data in files whose paths are configurable via env vars (MIA_MEMORY_FILE, MIA_FEEDBACK_FILE) — these are reasonable but the metadata labeling them 'required' without clarifying defaults is misleading. Primary credential set to MIA_PLANNER_API_KEY is reasonable for api mode but should not be mandatory for local usage.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It persists data only to its own memory/feedback JSONL files (configurable paths). That persistence is normal for a memory skill but users should be aware that stored memories/feedback are plaintext JSONL files and could contain sensitive content if the agent stores such data.
What to consider before installing
What to check before installing: - The skill will read/write plain JSONL files (memory and feedback) under its directories by default; review and control the file paths (MIA_MEMORY_FILE, MIA_FEEDBACK_FILE) and file permissions to avoid accidental storage of sensitive data. - The metadata in the registry marks MIA_PLANNER_API_KEY and other planner vars as required, but the code only needs the API key when MIA_PLANNER_MODE=api. If you don't want to provide an external API key, set MIA_PLANNER_MODE=local and configure MIA_PLANNER_URL to a local model. Don't provide cloud API keys unless you intend to use api mode. - There are duplicated files and a coding bug: memory code calls extractPattern() which is not defined. This indicates the package may be untested and could throw runtime errors or behave unexpectedly. Consider reviewing the code locally and running in an isolated/test environment first. - npm install will fetch node-fetch from the public npm registry (standard dependency) — run installs in a controlled environment if you are cautious about third-party packages. - If you plan to use this skill in production, inspect the code, run it in a sandbox, and consider encrypting or restricting access to memory/feedback files. If you need help verifying the undefined function or cleaning up the metadata, get a developer to audit/fix those issues before trusting persistent data or production API keys.
mia-planner/mia-planner.mjs:11
Environment variable access combined with network send.
planner/mia-planner.mjs:11
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d16fn5s7xpwc0fkxfhjd4sx849k8g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
Binsnode
EnvMIA_PLANNER_MODE, MIA_PLANNER_API_KEY, MIA_PLANNER_URL, MIA_PLANNER_MODEL, MIA_MEMORY_FILE, MIA_SIMILARITY_THRESHOLD, MIA_FEEDBACK_FILE
Primary envMIA_PLANNER_API_KEY

Comments