Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ClawBrain Memory
v1.2.0v1.2 长期记忆系统:自动记住对话内容、区分原话与摘要、长对话不丢失、身份实时更新。让龙虾真正记住一切。
⭐ 0· 125·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md promises persistent, cross‑dialog memory, automatic daily consolidation, real‑time identity updates, and a web dashboard, yet there are no code files, no install steps, no storage/backend details, and no required credentials. A long‑term memory system would normally need storage, an API endpoint, and credentials (or explicit instructions to use built‑in agent storage). The lack of those elements is inconsistent with the claimed capabilities.
Instruction Scope
The instructions are high‑level marketing/feature descriptions rather than runtime directives. They give no concrete commands, API endpoints, or data handling rules, and they implicitly authorize broad agent behavior (e.g., automatic daily reorganization, identity updates) without specifying limits. This vagueness grants the agent wide discretion and makes it unclear what data will be read, stored, or transmitted.
Install Mechanism
There is no install spec and no code—while low immediate filesystem risk, it is unexpected for a feature that promises persistent, server‑backed functionality. Normally such a skill would include an install or integration guide (e.g., how to connect to a memory backend, required services). The absence of any implementation detail is a red flag about how the capability would actually be provided.
Credentials
The skill requests no environment variables or credentials despite describing a dashboard and persistent storage. For a memory service, one would expect API keys, storage configuration, or at least a declaration of where data is kept. This mismatch raises privacy and data‑exfiltration concerns: it's unclear whether memories are local, sent to clawbrain.dev, or handled elsewhere, and there is no mention of access controls or retention policy.
Persistence & Privilege
always:false and user‑invocable:true (normal). The doc says '安装后自动生效' which implies it activates when installed, but there is no mechanism shown for enabling persistent background tasks. There is no evidence it would modify other skill configs or request elevated system privileges.
What to consider before installing
Do not install yet. Ask the publisher for concrete implementation details before trusting this skill: where are memories stored (local vs remote), what endpoints are used, what credentials or API keys are required, who can access the stored data, how to view/export/delete memories, encryption/retention policy, and an install/integration guide or source code. Verify the clawbrain.dev domain and the skill author's identity. Prefer skills that publish code or explicit install steps and that declare required env vars and data handling policies before granting access to any sensitive conversations.Like a lobster shell, security has layers — review code before you run it.
latestvk973hnzq0fps6wx9yag051g6b584k7t6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧠 Clawdis