Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description focuses on resource‑efficient decision making, which can plausibly benefit from memory. However, the SKILL.md expands into a full 'long‑term memory' subsystem that persists user data locally; that capability is not mentioned in the top-level metadata and seems beyond the minimal scope implied by the name/description.
Instruction Scope
Runtime instructions include Python code that automatically reads/writes a JSON file under the user's home (~/.openclaw/pv_palace/memories.json) and recommend invoking functions like store_memory/search_memories. The doc also shows example commands that import pv_memory, but no pv_memory module or other code files are bundled — the instructions are therefore ambiguous and would cause the agent to write persistent user data without a clear opt‑in or clear provenance of the code being executed.
Install Mechanism
No install spec or external downloads are present (instruction-only), so there is no additional install risk from third‑party binaries or network fetches.
Credentials
The skill declares no required env vars or config paths, yet its instructions write and read a persistent file under the user's home directory. This is an undeclared request for filesystem persistence and may capture sensitive user content; the storage path and automatic behavior are not justified or explained in the metadata.
Persistence & Privilege
The SKILL.md describes '自动调用' (automatic invocation) of memory functions and demonstrates commands that persist data locally. While the skill is not marked always:true, the platform's default autonomous invocation plus these instructions could allow the agent to repeatedly store user data on disk without explicit interactive confirmation. That combination raises privacy concerns.
What to consider before installing
This skill adds an automatic local memory feature that writes to ~/.openclaw/pv_palace/memories.json but the package does not include the referenced pv_memory module and the metadata doesn't disclose the persistent storage. Before installing: 1) Decide whether you want an agent that automatically stores user data to your home directory. 2) Ask the author for the missing pv_memory code or a clear explanation of how memory will be implemented and audited. 3) Require an explicit opt‑in/opt‑out and encryption or access controls for stored memories. 4) Inspect the memory file (or run the skill in a sandbox/container) to see exactly what is written. 5) Avoid installing on sensitive accounts until you confirm where data is stored, retention policy, and how to delete it. The absence of scanner warnings only reflects that this is an instruction‑only skill — it does not mean it is harmless.Like a lobster shell, security has layers — review code before you run it.
Digital-Workervk97ex5470czwf8rhrs1yy7vwv18356rkPsyVectorvk977t4sb6rmtp98v31xz5mgefn834m8nlatestvk9775scs1vae615zwa7zwqy2m584ea6b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.