ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Working Memory Skill

v1.1.1

Set up, migrate, or manage a file-based working memory system for an AI agent project. Use for agent memory, working memory, session continuity, persistent c...

0· 107·0 current·0 all-time
by@jiyuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description and the included scripts (scaffold, migrate, loader, writer, rebuild_index) all align with a file-based working-memory system. The scripts read and write MEMORY.md, memory/YYYY-MM-DD.md, memory/state.json, threads.md, events.json and related files — these are expected for the declared purpose and no unrelated network or cloud credentials are requested.
!
Instruction Scope
The runtime instructions and scripts do more than just create/read memory files: migrate.py will surgically patch AGENT.md (inserting memory-management instructions) unless you pass --skip-agent-patch. Modifying AGENT.md is within the domain of 'agent memory' migration but it also changes persistent agent configuration and can change future agent behavior (effectively a form of persistent prompt-injection). The pre-scan detected a 'system-prompt-override' pattern in SKILL.md, which reinforces the concern that the skill is designed to inject instructions into agent config. The SKILL.md and code do not attempt network exfiltration, but they grant the skill the ability to alter agent/system prompts stored in project files.
Install Mechanism
There is no external install or downloaded binary — this is instruction/code-only. No remote downloads, no package installs, and all code is included in the bundle, which reduces supply-chain risk.
Credentials
The skill requests no environment variables or external credentials. Its operations are confined to files under the provided project root; this is proportionate to a local file-based memory migration/scaffold tool.
!
Persistence & Privilege
The skill does not set always:true, but it explicitly patches AGENT.md (agent configuration) and writes persistent files (.bak backups are created). Modifying an agent's configuration file is a powerful persistent change: while relevant to migration, it also gives the skill the ability to alter future agent behavior (system prompts/instructions). This persistent modification of agent config is a notable privilege and should be explicitly approved by the user; the code provides a --skip-agent-patch flag but the default migration behavior patches AGENT.md.
Scan Findings in Context
[system-prompt-override] unexpected: The pre-scan flagged patterns consistent with modifying or injecting into an agent/system prompt. While the skill legitimately patches AGENT.md to add memory-management instructions (documented in migrate.py), the detection indicates this could be used to alter agent/system prompts persistently. That behavior is borderline: it's within migration scope but also exactly the vector used by prompt-injection attacks, so treat as suspicious and review injected content carefully.
What to consider before installing
What to consider before installing: - Review the code and the exact AGENT.md patch content before running migration. migrate.py documents injection points and creates backups (MEMORY.md.bak and others) but you should inspect the intended insertion text. Use --dry-run to preview changes and --skip-agent-patch to avoid modifying AGENT.md. - Because the skill writes files under the project root, run it on a copy or in a sandboxed repository first. That prevents accidental persistent changes to an important agent config. - The main risk here is not network exfiltration (there are no network calls) but persistent prompt/config injection: if you let the tool patch AGENT.md it will add instructions the agent will read on future runs. Only accept those changes if you trust the source and have reviewed the exact inserted text. - If you don't want the skill to change agent behavior, make AGENT.md read-only or run migration with --skip-agent-patch and manually add the small, reviewed guidance you want. - If you need stronger assurance: run migrate.py --dry-run, inspect the created .bak files and the scripts' injection strings, and consider running static scans or manual code review focusing on the patch_agent_md logic and PATCH_MARKER behavior. - Confidence note: the bundle is self-contained and matches its stated purpose, but the prompt-injection signal plus agent-config patching is a real practical risk — treat this as 'suspicious' until you verify the exact injected content and consent to persistent AGENT.md changes.
!
references/RETRIEVAL.md:226
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk973k4tske3dnr8skcehjtjx7983mqm4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments