ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Enhanced Memory System V3

v1.3.0

完整记忆系统 - 文件系统记忆 + 向量搜索 + 四类记忆分类 + AutoDream 自动整合

0· 59·0 current·0 all-time
by@minmengxhw-cpu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's source code implements the advertised file-based memory, vector search (Ollama), AutoDream consolidation, and read/write of memory files — so overall capability aligns with the description. However, the code requires integration with an external LLM (MiniMax) via an API key (process.env.MINIMAX_CODING_API_KEY) which is not declared in the skill's required env vars/metadata; that omission is an incoherence and a security-relevant surprise.
!
Instruction Scope
SKILL.md describes AutoDream and file operations, but the runtime code will (a) scan and modify user memory files (add/delete/update), (b) send memory file contents to an external MiniMax API for consolidation, and (c) call a local Ollama endpoint using shell curl. The SKILL.md does not clearly document the external MiniMax endpoint or the need for an API key in configuration/installation instructions, which is scope creep relative to what a casual reader would expect.
Install Mechanism
There is no external installer or download step — the skill is delivered as source files. No package downloads or remote installers are executed at install time. Runtime behavior (network calls, shell exec) is where risks appear, not in an install mechanism.
!
Credentials
The repository and code read process.env.MINIMAX_CODING_API_KEY (and CHANGELOG documents it) but the registry metadata claimed 'required env vars: none' and did not declare this credential. The code also relies on process.env.HOME and attempts to import OpenClaw internals (sessionStatus) to get token counts. Asking (implicitly) for an external LLM API key that will receive user memory files is a disproportionate secret requirement that was not disclosed.
Persistence & Privilege
always:false (not force-installed) and hooks (onSessionStart, onHeartbeat) are present so the skill can auto-run its AutoDream and auto-load behavior during sessions. Autonomous invocation is platform-default, but here it means AutoDream could periodically scan/modify local memory files and call an external LLM without further user prompts — combine this with the undeclared API key usage for added risk.
Scan Findings in Context
[MINIMAX_API_CALL] expected: The AutoDream implementation calls an external LLM API at https://api.minimaxi.com/anthropic/v1/messages to perform consolidation. Using an LLM for consolidation is plausible for this feature, but this implies user memory content will be transmitted to a third-party. The API key is read from process.env.MINIMAX_CODING_API_KEY but the skill metadata did not declare this env var.
[ENV_VAR_MINIMAX_CODING_API_KEY] unexpected: The code depends on MINIMAX_CODING_API_KEY for LLM calls, yet the registry metadata lists no required env vars. Not declaring this secret is an incoherence and a privacy risk.
[LOCAL_OLLAMA_CURL_EXEC] expected: Embedding code invokes curl via child_process to http://localhost:11434/api/embeddings (Ollama). Local Ollama usage is reasonable for embeddings, but calling curl through shell with content derived from memory introduces command-execution and injection risk if inputs are not fully sanitized.
[CHILD_PROCESS_EXEC_USAGE] unexpected: The code uses child_process.exec to run shell commands (ollama list and curl). For embedding/local checks this can be expected, but executing shell commands with user-provided text increases attack surface and should be carefully audited.
[OPENCLAW_SESSION_ACCESS] expected: The flush component attempts to import OpenClaw's sessionStatus to read token counts. Querying session token usage is plausible to determine flush timing, but importing platform internals may expose sensitive runtime state and should be documented and limited.
What to consider before installing
This skill largely does what it says (file-based memories, vector search, auto-consolidation), but it will: (1) scan and change files under your configured memoryDir, (2) call a third-party MiniMax LLM (sending memory contents) if AutoDream runs and an API key is present, and (3) call a local Ollama embedding endpoint via shell commands. Before installing: review the executeDream/autoDream code path to confirm what gets sent to MiniMax and what files may be deleted or modified; do not provide MINIMAX_CODING_API_KEY unless you trust the MiniMax service and accept that your memory files may be transmitted; consider disabling AutoDream (autoDream.enabled=false) or running the skill in a sandboxed environment; prefer a local Ollama instance for embeddings and audit the child_process usage for injection risk; and if you are concerned about leaking private data, keep sensitive material out of the configured memoryDir or avoid installing this skill.
src/autoDream.ts:113
Environment variable access combined with network send.
!
src/autoDream.ts:90
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e76hh3eba531vy8cspygxq583ydcf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments