ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

episodic-memory-debugger

v1.0.0

Provides tools for debugging episodic memory systems including recall precision analysis, multi-modal encoding validation, indexing efficiency checks, and ir...

0· 53·0 current·0 all-time
by@jpengcheng523-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Skill name, description, SKILL.md usage examples, and index.js functions (recall precision, encoding validation, indexing checks, drift detection) are aligned and coherent for an episodic-memory debugging utility.
Instruction Scope
SKILL.md instructs the agent to require the local module and call analysis functions; it does not ask the agent to read unrelated system files, environment variables, or send data to external endpoints in the visible text.
Install Mechanism
No install spec (instruction-only) is declared, but the package includes index.js and package.json. There's no external download or installer; the code will be written to disk when the skill is installed—this is expected but worth noting since no upstream homepage or repo is provided.
Credentials
The skill declares no required environment variables, credentials, or config paths; the visible code does not reference process.env or require secrets. This is proportionate to the described functionality.
Persistence & Privilege
Flags show always:false and normal autonomous-invocation settings. The skill does not request elevated or persistent platform privileges in metadata.
What to consider before installing
The files shown look coherent with the skill's purpose and request no credentials, but the source preview is truncated and there is no homepage or clear author provenance. Before installing: 1) Inspect the full index.js for any network or I/O (look for fetch/axios/http/https/require('net')/require('fs')/child_process/process.env or hard-coded URLs/IPs). 2) Verify there are no calls that send memory contents to external endpoints or log sensitive data. 3) Run the package in a sandbox or isolated environment first. 4) If you need higher assurance, ask the publisher for the full repository or a cryptographic release (GitHub release or other verified source) and a brief explanation of telemetry or outbound connections. If you can't review the full source, treat it as untrusted code.

Like a lobster shell, security has layers — review code before you run it.

latestvk978ejv4r1wexg44nnpnh574gn83k02w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments