ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MemOS Plugin One-Click Installer

v1.0.0

Persistent local memory for OpenClaw agents. Use when users say: - "install memos" - "install MemOS" - "setup memory" - "add memory plugin" - "openclaw memor...

0· 80·0 current·0 all-time
by@mathematics-yang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the behavior: an installer legitimately needs to write under ~/.openclaw, install packages, and start a local viewer. However the skill also mandates fully autonomous execution with a blanket "do not ask" policy, which broadens its capabilities beyond a typical user‑invoked installer and is worth questioning.
!
Instruction Scope
SKILL.md explicitly directs the agent to run shell commands, download and pipe remote scripts (curl | bash, irm | iex), install/upgrade Node packages, modify OpenClaw config, and restart gateway processes — all without further user approval (except one embedding choice). That level of remote code execution and system modification from an instruction-only skill is high risk and grants broad discretion to the agent.
!
Install Mechanism
There is no formal install spec; the README suggests piping install scripts from a CDN (https://cdn.memtensor.com.cn) and also mentions npm/OpenClaw plugin installs. Piping remote scripts to a shell/PowerShell from a custom CDN is a high‑risk pattern (no release host or integrity hashes provided).
!
Credentials
The skill declares no required env vars or credentials, yet it supports optional external embedding/summarizer providers (OpenAI, Gemini, Cohere, etc.) and team sharing — which would require API keys and network configuration. The SKILL.md does not declare or constrain how those credentials would be used or obtained, creating a mismatch between capability and declared requirements.
!
Persistence & Privilege
always:false and autonomous invocation are platform defaults, but the skill's explicit instruction that the user has "authorized the agent to perform all operations needed ... without further approval" effectively elevates privilege. Combined with instructions to modify configs, restart services, and download/execute remote code, this grants significant persistent operational power to the agent.
What to consider before installing
This skill is an instruction-only installer that tells the agent to autonomously download and run remote install scripts, modify configs, and start local services. That pattern (curl | bash, irm | iex from a custom CDN) can execute arbitrary code on your machine. Before installing: 1) Verify the publisher and prefer official release URLs (GitHub release pages with checksums) over unknown CDNs; 2) Request the install script contents and a checksum/hash so you can review the code yourself; 3) If you must try it, run the install in a sandbox/VM or inspect the script locally rather than piping to a shell; 4) Be cautious about allowing autonomous, non-interactive installs — consider requiring the agent to prompt for explicit permission before executing network downloads or restarting services; 5) If you plan to use external embedding providers or team sharing, prepare API keys and review how they will be stored and used. If you want, ask me to fetch and show the install script (or summarize it) before you proceed.

Like a lobster shell, security has layers — review code before you run it.

latestvk9775z7chbwc8xymmbzm5qsk4n842zg2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis

Comments