Skillv1.6.1

ClawScan security

Mem Plus · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 8, 2026, 6:24 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior largely matches a personal-memory recall tool, but there are multiple developer-specific hardcoded paths, surprising filesystem access and metadata-stripping behaviors, and some mismatches between the README and included files that warrant caution before installing.
Guidance: This skill appears to implement what it claims (identity-first personal memory recall), but exercise caution before installing or running it. Key points to consider: - The code reads local databases and arbitrary files under ~/.openclaw/workspace and mempalace folders and can inject full file contents into agent context — remove or secure any sensitive files in those locations first. - The package contains hardcoded user-specific paths (/Users/mars/..., inserted site-packages path). Verify and edit these paths to match your environment before running; otherwise the skill may fail or behave unexpectedly. - The reranker strips message/conversation metadata (message_id, [user:...], code fences), which may remove provenance — confirm you are comfortable with that sanitization. - The scripts call a local Ollama embeddings HTTP endpoint and the mempalace CLI; ensure those local services are trusted and properly configured. - Because the bundle was clearly packaged from a developer machine and references missing files (e.g., super_mem_cli.py) and platform-specific paths, prefer to review the full source (especially any credential-filtering code not shown) and run in a sandbox or test account first. If you want to proceed: review and edit hardcoded paths, audit any credential-filtering and injection code, and run the scripts in a controlled environment before granting the skill access to your real workspace or memory DBs.

Review Dimensions

Purpose & Capability: noteThe name/description (identity-first personal recall with Chinese bigram boost) matches the code's retrieval, boosting, and reranking logic. However, the skill hardcodes user-specific paths (/Users/mars/...), inserts a site-packages path, and references other scripts/files (e.g., super_mem_cli.py) that are not present in the bundle — these are developer-environment artifacts that reduce portability and suggest the package was packaged from a single user's machine rather than designed for general use.
Instruction Scope: concernSKILL.md and the scripts instruct the agent to read local databases and filesystem paths (e.g., ~/.mempalace/palace/, ~/.super-mem/chroma/, ~/.openclaw/workspace) and will inject file contents (up to large sizes) into results. The reranker also strips OpenClaw metadata patterns (message_id, [user:..], conversation blocks), which removes provenance and could hide origin metadata before data is sent to models or external services. Filename-based direct injection elevates full file contents to rank 1 for certain queries, which could unexpectedly expose sensitive local files. These actions are consistent with a personal recall tool but are high-impact and should be reviewed if you have sensitive files in those locations.
Install Mechanism: okNo installation steps or external downloads are declared; the skill is instruction + bundled Python scripts only. That lowers supply-chain risk compared to remote downloads. However, the scripts rely on external local binaries/services (mempalace CLI at a hardcoded path and a local Ollama embeddings endpoint), so the runtime requires locally installed components.
Credentials: noteThe skill declares no required environment variables or credentials (good), but it nonetheless accesses local resources: mempalace CLI, a local Ollama HTTP endpoint at localhost:11434, a ChromaDB path, and the user's workspace and mempalace directories. Access to local files and DBs is proportional to a memory-recall skill, but because no explicit consent/credential gating is declared in metadata, users should be aware these filesystem and local-service accesses will occur when invoked.
Persistence & Privilege: okThe skill is not marked always:true and does not declare any behavior that modifies other skills or system-wide agent settings. It runs as a user-invoked tool and does not request elevated or persistent platform privileges.