Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Unified Memory

v4.4.0

统一记忆系统 - AI Agent 专用记忆系统，支持 Context Tree、智能摘要、知识图谱、工作流引擎。零依赖，完整对标 QMD/MetaGPT

⭐ 0· 486·4 current·4 all-time

by程序员小刘@mouxangithub

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

Capability signals

Crypto

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The codebase (hundreds of Node.js modules) and SKILL.md consistently describe a complex memory system (L0→L3 pipeline, vector/BM25 search, WAL, web UI, local embedding, multi‑tenant/team features). Those capabilities match the skill name/description. However the registry metadata claimed 'instruction-only / no install spec' and 'no required env/config paths', while SKILL.md and the file tree require workspace paths, env vars (OLLAMA_HOST, etc.), and include an install script and many source files — an internal inconsistency that should be resolved.

Instruction Scope

SKILL.md and READMEs instruct running npm install, optional install.sh, starting REST and web UI servers (node src/api/server.js, node src/webui/dashboard.js), and show commands that read/write ~/.openclaw/workspace/memory/. The skill also documents cloud backup, collaboration/push, and WAL import/export tools. Those instructions legitimately belong to a memory system, but they require filesystem writes, long‑running network servers, and optional external installers (curl | sh for Ollama). SKILL.md also contains prompt-injection patterns (ignore previous instructions/system prompt override) — unrelated to functionality and suspicious. The instructions give broad discretion (many tools, hooks, plugin system) which increases the attack surface.

Install Mechanism

Registry metadata lists no install spec, but the package includes install.sh, package.json, and many JS files. The docs explicitly suggest 'git clone && npm install' and provide an install script. That means code will be written and executed on the host if installed. The install guidance also references running external scripts (e.g., curl | sh to install Ollama). There is no documented central release host or cryptographic provenance in the metadata (homepage/source listed as unknown/none). This mismatch (no install spec vs. extensive code + install scripts) is a red flag and raises supply‑chain risk.

Credentials

SKILL.md declares and expects multiple environment variables (OLLAMA_HOST, OLLAMA_EMBED_MODEL, LLM_MODEL, LLM_PROVIDER, VECTOR_ENGINE, STORAGE_MODE, OPENCLAW_WORKSPACE_DIR) and declares read/write permissions to ~/.openclaw/workspace/memory/. But the registry metadata reported 'required env vars: none' and 'required config paths: none'. Several modules (cloud backup, collab, external embedding/backends) can use networked credentials (OpenAI/Jina/SiliconFlow) though those credentials are not declared in metadata. The number and breadth of env/config items described in docs is proportionate to a full memory system but inconsistent with the published metadata — this discrepancy is concerning because users may deploy without realizing the skill will attempt network connections and will read/write workspace files.

ℹ

Persistence & Privilege

The skill does not request 'always: true' and is user-invocable. It includes code that runs servers, writes to workspace directories, and can persist WAL and other data — which is expected for a stateful memory service. There is also a plugin/collab/cloud subsystem and a 'sandbox' component referenced (Docker execution sandbox), which means the skill can run background work and possibly execute code if deployed. Those behaviors are coherent with the stated purpose but increase long‑term presence and privilege on the host; ensure you are comfortable with persistent services being installed.

Scan Findings in Context

[prompt-injection:ignore-previous-instructions] unexpected: The pre-scan detected 'ignore-previous-instructions' pattern in SKILL.md. Prompt-injection patterns in packaging documentation are not needed for a memory backend and are suspicious — could indicate the author attempted to embed instructions to manipulate LLM behavior.

[prompt-injection:system-prompt-override] unexpected: A 'system-prompt-override' pattern was detected inside SKILL.md. This is unrelated to implementing a memory store and should be treated as unexpected; review the SKILL.md content and any templates that generate prompts.

What to consider before installing

Before installing or enabling this skill, do the following: 1) Fix the metadata mismatch: confirm with the publisher whether the package is supposed to be code-based (it clearly contains hundreds of source files) and get the canonical repository URL and release artifacts. 2) Inspect install.sh and package.json for postinstall scripts, network calls, or commands that run with shell privileges. 3) Review the code paths for cloud/collab/push/backup and sandbox modules (src/collab/*, src/cloud_backup_api.js, src/system/sandbox.js) for any hard-coded external endpoints, telemetry, or automatic outbound connections. 4) If you will run it, run first inside an isolated environment (container or VM) with no network or restricted network access and a limited user account; don't expose the web UI to the public internet. 5) Restrict filesystem access (run as a user that cannot read other users' home dirs) and consider mounting ~/.openclaw/workspace/memory/ to a controlled location. 6) Verify which environment variables are actually required and avoid supplying unrelated credentials (OpenAI, AWS, etc.) until you confirm they are necessary. 7) Because SKILL.md contains prompt-injection patterns, audit any prompt templates and the code that builds prompts before enabling autonomous invocation. If you are not comfortable performing these checks, treat this skill as untrusted and avoid installing it on production machines.

✗

src/cloud_backup_api.js:357

Shell command execution detected (child_process).

✗

src/git_notes.js:55

Shell command execution detected (child_process).

✗

src/index.js:806

Shell command execution detected (child_process).

✗

src/integrations/git_manager.js:32

Shell command execution detected (child_process).

✗

src/lessons.js:541

Shell command execution detected (child_process).

✗

src/qmd_integration.js:41

Shell command execution detected (child_process).

✗

src/search/qmd_backend.js:26

Shell command execution detected (child_process).

✗

src/storage_lock.js:34

Shell command execution detected (child_process).

✗

src/system/sandbox.js:147

Shell command execution detected (child_process).

✗

src/tools/git_notes.js:36

Shell command execution detected (child_process).

✗

src/tools/qmd_search.js:77

Shell command execution detected (child_process).

✗

src/webui/dashboard.js:212

Shell command execution detected (child_process).

✗

start-dashboard.js:141

Shell command execution detected (child_process).

✗

test-all.cjs:96

Shell command execution detected (child_process).

✗

src/agents/agent_memory.js:40