Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenClaw Universal Memory
v1.0.0Generic Postgres and pgvector memory layer for connector-agnostic data ingestion, incremental sync, and searchable chunk storage with cursor history.
⭐ 0· 639·2 current·2 all-time
byMarcos Athanasoulis@marcosathanasoulis
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the included launcher script: it runs an openclaw_memory CLI to manage pgvector-backed memory and ingestion. However the registry metadata declares no required env vars or binaries, while SKILL.md and the script expect a DATABASE_DSN (or --dsn/--dsn-file) and a locally installed package (pip install -e .). The distributed bundle does not include the package under src/ (only a scripts wrapper), so installing/running as instructed will fail or will depend on code you must obtain separately. Connectors (google/slack/asana/iMessage) are referenced but their credentials and connector code are not included or declared.
Instruction Scope
SKILL.md gives concrete CLI invocations that only interact with a local Postgres DSN; the provided script only spawns the openclaw_memory.cli module (no network calls in the wrapper). But the skill delegates connector work to external connector code (not included), which likely calls external APIs and requires additional credentials/config. The skill also supports configure-dsn which may persist secrets to disk (via underlying CLI), and while the README warns against passing secrets on the command line, the wrapper accepts --dsn and will place it into the subprocess environment—this is potentially mishandled if the underlying CLI writes config files or logs. The instructions are otherwise specific, not overly open-ended.
Install Mechanism
There is no install spec in the registry. SKILL.md instructs the user to run 'pip install -e .' to install the package, but the bundle does not include a pyproject/setup or the package sources under src/ (only a wrapper script and references). That means the instructions require installing code that is not bundled; installation as-is will either fail or pull code from an external source you must obtain separately. This missing packaging makes the skill incoherent and increases risk because behavior depends on external code not provided for review.
Credentials
The skill declares no required environment variables in the registry, yet SKILL.md and the script expect a DATABASE_DSN (default env name DATABASE_DSN) and connectors will require service credentials. The absence of declared env requirements is misleading. The skill recommends least-privilege DB credentials, but provides no enforced mechanism for credential protection (configure-dsn may persist secrets—location unspecified).
Persistence & Privilege
The skill does not request 'always: true' and uses normal agent invocation settings. It does not try to modify other skills or system-wide configuration in the provided wrapper. The only persistence risk is that the underlying CLI (not included) might write DSN/config files; the wrapper forwards --config-path to that CLI, so review where configure-dsn stores secrets before using it.
What to consider before installing
This skill is plausible for providing a Postgres/pgvector memory layer, but the package that actually implements the functionality is not included in the bundle and the registry metadata fails to declare the DATABASE_DSN requirement—do not install or run until you: 1) obtain and review the full Python package (pyproject/setup and src/openclaw_memory) so you can inspect connector implementations and where secrets are stored; 2) provide the database DSN via a secure OS secret store or environment (avoid passing secrets on the command line); 3) use least-privilege DB credentials limited to the um_* tables; 4) verify what configure-dsn does (where it writes config, file permissions, encryption); and 5) audit any connector code before enabling ingestion (connectors will call external APIs and require credentials). If you cannot review the missing package code, treat this skill as untrusted and do not run it against production or sensitive databases.Like a lobster shell, security has layers — review code before you run it.
latestvk97fdsq98tt4e4r0rhdzn6tjzx814t6t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.