ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

memory-plus

v1.0.6

虾宝智能记忆工作流。开箱即用,数据目录与代码分离,支持轻量降级。 特性: - 文件系统存储,无外部数据库依赖 - Ollama 向量嵌入(可选,降级为 BM25) - bge-reranker-v2-m3 重排(可选) - HyDE + Query Rewriting(可选) - 后台线程自动存储(每10分钟)...

1· 208·0 current·0 all-time
by@liushuangfa666
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (a local memory workflow) aligns with the code: file storage, FTS5, optional KG via Ollama, optional Milvus/embeddings and dedup/merge features are implemented. However the skill does not declare any required environment variables in its registry metadata even though the code reads several (OLLAMA_URL, EMBEDDING_URL, MILVUS_HOST/PORT, RERANK_SERVICE_URL). The presence of container/host-default addresses (172.17.0.1, host.docker.internal) is noteworthy — they are coherent with optional 'host-side' services but are not declared to the user.
!
Instruction Scope
SKILL.md explicitly instructs modifying AGENTS.md to run an Exec on every message and to pipe full session contents to the skill's save script. That causes the agent to automatically search/save every user message and to write conversation data to local files. While this is consistent with a memory feature, it broadens scope substantially (automatic, per-message capture) and may cause sensitive user messages to be persisted and then processed or sent to external services.
Install Mechanism
No external install/spec; the skill is delivered as files and scripts (no downloads or package installs). That lowers supply-chain risk — nothing downloads arbitrary archives. Code will be executed by the agent via Exec entries and subprocess calls, which is expected for a CLI-style skill.
!
Credentials
Although the registry lists no required env vars, the code uses several environment variables and hard-coded default host endpoints: RERANK_SERVICE_URL (default http://172.17.0.1:18778), EMBEDDING_URL (default http://172.17.0.1:18779), OLLAMA_URL (default http://host.docker.internal:11434), and Milvus host defaults. These allow the skill to contact host/container-local services. The lack of declared env requirements in metadata is a mismatch and makes it unclear what network access will occur. The skill may send conversation content (including full sessions when /save is used) to those endpoints.
!
Persistence & Privilege
The skill itself is not flagged always:true, but SKILL.md instructs adding an AGENTS.md rule that runs the skill on every message (automatic per-message Exec). That effectively grants persistent, automatic invocation and broad data collection unless the user refuses or modifies those AGENTS.md edits. This persistent auto-run combined with network calls increases the blast radius.
What to consider before installing
This skill implements a plausible local memory system, but review these points before installing: - Do not blindly add the AGENTS.md edits. Those make the skill run on every user message and will persist conversation content to ~/.openclaw/workspace/memory-workflow-data and may trigger network calls. Consider enabling only manual commands first. - Inspect and, if needed, override the default endpoints (OLLAMA_URL, EMBEDDING_URL, RERANK_SERVICE_URL, MILVUS_HOST/PORT) in a safe environment. Defaults point at container/host addresses (172.17.0.1, host.docker.internal) which will make the skill contact services running on your host; ensure you intend that. - Understand data flow: saved sessions and memory files are written locally, then may be processed by the KG extractor (calls Ollama) and sent to embedding/rerank services. Sensitive content in conversations could be transmitted to those services. - If you want to proceed: (1) test in a sandbox or VM, (2) avoid adding automatic AGENTS.md hooks initially, (3) set env vars to point to trusted services (or disable optional features by ensuring those services are unreachable), and (4) review/backup ~/.openclaw/workspace before enabling. If you want, I can point to the specific lines/files that perform network calls and automatic file writes so you can inspect or patch them before enabling the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk9721rphttnbh1rcbpd0dz5wzd845j0f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments