Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Clawbrain Boost
v1.6.0ClawBrain Boost v1.6 — 一键让 OpenClaw 更准更稳。记忆系统 + 数据保真 + 自动容错 + 写作助手。越用越懂你。
⭐ 0· 102·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description promises a rich local enhancement (memory system, scheduled consolidation tasks, 3D visualization, automatic identity sync). However the package is instruction-only and provides no code or install artifacts to implement local agents or schedulers. That could be fine if those features are provided by the remote model/service, but the skill metadata failed to declare the API credential it in practice requires. Also the SKILL.md points users to clawbrain.dev for an API key but the model baseUrl is 'https://api.factorhub.cn/v1' — a domain mismatch that is unexplained.
Instruction Scope
Instructions tell the user to edit ~/.openclaw/openclaw.json to add a remote provider and API key and to restart the gateway. Those actions are within scope for integrating a remote model provider. Concerns: SKILL.md asserts daily background tasks (DreamTask at 3:00), identity auto-sync, and local visualization without providing local components or explaining whether these run on the remote service. The instructions are otherwise specific and do not request unrelated system files or arbitrary secrets.
Install Mechanism
This is instruction-only with no install spec and no code files, so nothing is written or executed locally by the skill itself. That lowers local install risk. The README suggests using 'clawhub install clawbrain-boost' but there is no install artifact provided for review.
Credentials
Registry metadata lists no required environment variables or primary credential, but the runtime instructions explicitly require an API Key (to be stored in ~/.openclaw/openclaw.json) for a remote provider. That credential request is reasonable for a model-provider integration — but it should have been declared. The mismatch in declared vs. required credentials reduces transparency. Also the API endpoint domain (api.factorhub.cn) differs from the visible homepage (clawbrain.dev), which raises questions about where data (including conversation content/memory) will be sent and stored.
Persistence & Privilege
The skill is not always-included and model invocation is allowed (default). The SKILL.md tells users to change their OpenClaw default model to the remote provider, which is a normal configuration change but has the effect of routing agent requests (and potentially memory) to the external service. This is expected for provider integrations but is a behavioral/privilege change you should be aware of.
What to consider before installing
Before installing: 1) Verify the provider domains and ownership — SKILL.md links to clawbrain.dev but the API baseUrl is api.factorhub.cn; confirm these are legitimately related. 2) Understand data flow: installing as described will send agent requests (and likely extracted 'memories') to the remote provider — read its privacy/data-retention policy and confirm what it stores and for how long. 3) Treat the API Key as sensitive: only use a provider you trust and avoid using it with sensitive or production data until you confirm behavior. 4) Because the skill is instruction-only, ask the maintainer (or vendor page) how features like DreamTask (daily consolidation), identity auto-sync, and 3D visualization are implemented and where they run (local vs. remote). 5) If unsure, do a limited test: don’t set it as your default model, and test with non-sensitive conversations to observe requests and responses before full adoption.Like a lobster shell, security has layers — review code before you run it.
latestvk97fva5qdd1d1vfa5btkfvv28s84t8py
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🚀 Clawdis