ClawHub

Echo

v1.0.0

Sync, encode, embed, and upsert OpenClaw markdown memory files to Supabase, with commands to restore and check sync status.

0· 211·0 current·0 all-time
byKobe@kkw-21
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The description says it will 'upsert to Supabase' and manipulate local memory files, but the package declares no required environment variables, no primary credential, and no required binaries. A Supabase sync normally requires a SUPABASE_URL and a key (anon or service role) and a client/CLI; the skill does not request or document those, which is inconsistent with its stated purpose.
!
Instruction Scope
SKILL.md lists CLI commands (echo-memory sync/restore/status) and references parsing and upserting local workspace markdown to cloud storage, but gives no detail on which Supabase project/endpoint, what credentials to use, or how to handle conflicts. It will inherently access local workspace files (expected) and transmit them to a cloud target (not documented). The instructions are too vague about endpoints/credentials and therefore grant implicit broad discretion.
!
Install Mechanism
There is no install spec and no included code. The SKILL.md references an 'echo-memory' CLI, but the skill does not declare that the binary is required or provide an installation source (package name, repo, or release). It's unclear how the commands will exist on the agent's PATH — missing install instructions are a material omission.
!
Credentials
No environment variables or credentials are declared despite operations that require networked database access. This is disproportionate: syncing to Supabase will require at minimum a URL and a key. The absence could mean the skill expects secrets to be provided at runtime in an ad-hoc way or to be discovered, which is unsafe.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not declare modifications to other skills or system-wide settings. No special persistence or elevated platform privileges are requested.
What to consider before installing
Do not install this skill without clarification. Ask the author for the source code or repository and for an explicit install spec (how to obtain the 'echo-memory' CLI). Request a list of exact environment variables the tool needs (typical: SUPABASE_URL and a key) and insist on least-privilege credentials (avoid a Supabase service role key unless absolutely necessary). Verify where data will be uploaded and ensure your local memory files contain no secrets before syncing. If you must test, run it in an isolated environment (sandbox or container) and require the developer to provide reproducible install steps (npm/pip package name or GitHub release) and a privacy/security README explaining data handling and required credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk973hjxat89wxxyahxs89xc80x82n32h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments