ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

starmemo

v2.0.0

智能记忆系统 v2.0 - 结构化记忆 + 知识库 + 启发式召回 + AI优化

1· 463·2 current·2 all-time
by@nandujia

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for nandujia/starmemo.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "starmemo" (nandujia/starmemo) from ClawHub.
Skill page: https://clawhub.ai/nandujia/starmemo
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install nandujia/starmemo

ClawHub CLI

Package manager switcher

npx clawhub@latest install starmemo
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description (智能记忆/知识库) align with the code's features (local memory, knowledge extraction, LLM calls). However there are inconsistencies: top-level starmemo.py saves raw inputs into memory_data/daily unconditionally (global autosave), while v2/storage.py uses a different memory/ directory structure. The README and SKILL.md describe selective/heuristic saving, but the top-level on_user_input implements unconditional saving for all platforms by default — this deviates from the stated behavior and is disproportionate to a 'selective memory' expectation.
!
Instruction Scope
SKILL.md and README describe selective triggers and a '可控联网' option to disable network fetches. In practice: the skill registers an on_user_input hook that will save every user input by default (ctx.get('config', {}) falls back to save=True). Network LLM calls are gated by API key and enable_ai flags, but config flags like allow_web_fetch exist yet are not consistently checked before making LLM requests (LLMClient checks enable_ai and api_key, not allow_web_fetch). That means disabling 'web' in config may not reliably prevent network calls if enable_ai and api_key are present. The instructions and the runtime behavior therefore disagree on when/what gets saved and when network access occurs.
Install Mechanism
No install spec in the registry but several modules (starmemo.py and v2/ai_processor.py) call an auto_install() that uses subprocess to pip install requests at import time. That performs network install and runs pip via subprocess during skill load — not ideal but limited to a single well-known package (requests). This is a moderate surprise for users expecting 'instruction-only' or no runtime installs.
Credentials
The skill does not request platform environment variables or external credentials at install time. LLM API keys are stored in a local .skill_config file (optionally persisted) rather than via declared env vars. That is proportionate for an LLM-backed memory tool, but note that API keys will be written to disk if 'persist_key' is enabled.
!
Persistence & Privilege
The skill is not marked always:true, but _meta.json registers a hook on_user_input and the code's on_user_input will automatically save all user inputs by default. That gives the skill broad write access to local storage (it writes memory files and a .skill_config). Because it's invoked on every user message, its effective persistence and data collection surface are larger than the SKILL.md's selective-trigger description — this increases privacy risk.
What to consider before installing
Key things to consider before installing: - Autosave behavior: by default the skill's on_user_input will save every user message to disk (memory_data/daily). This may differ from the README/SKILL.md's description of selective/heuristic saving. If you expect selective saving, review/modify the on_user_input logic or configuration before enabling it in production. - Network calls and API keys: the skill will call LLM endpoints if you enable AI optimization and provide an API key. API keys can be persisted to a local .skill_config file; do not enable persist_key if you don't want keys written to disk. Also confirm that setting 'web' or 'allow_web_fetch' actually prevents network access in your deployment — the code does not consistently check this flag. - Runtime pip install: the modules auto-install the 'requests' package via pip at import time (subprocess). If you run in constrained or audited environments, prefer pre-installing dependencies or inspect that behavior. - Storage inconsistency: the repository contains two different storage paths (memory_data/ used by top-level starmemo.py and memory/ used by v2/storage). That can lead to scattered data across directories — search your filesystem after testing to find where data is stored. - Recommended mitigations: run the skill in an isolated or dev environment first; set enable_ai=false and persist_key=false before hooking into production; inspect and (if needed) edit on_user_input to enforce selective saving triggers; review .skill_config after first run; and avoid sending sensitive secrets to the skill until you confirm its behavior. - If you want more assurance: ask the author for clarification about the autosave policy, the intended use of allow_web_fetch, and why two storage paths are used; or request a small patch that respects a single 'save' policy and that makes network access explicit and gated.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🧠 Clawdis
Binspython3
latestvk979gw47apaa0813z632t79qas82m4y9
463downloads
1stars
15versions
Updated 15h ago
v2.0.0
MIT-0
@nandujia
latest
Download

starmemo v2.0 - 智能记忆系统

核心特性

特性说明
📝 结构化记忆因→改→待 格式,一目了然
📚 知识库自动提取知识点,长期积累
🔍 启发式召回智能判断何时召回,精准检索
🧠 AI优化结构化提取、压缩、知识抽取
🌐 联网学习知识不足时可联网补全
🇨🇳 国内LLM火山、通义、文心、DeepSeek等

CLI 命令

# 保存记忆
python3 {baseDir}/v2/cli.py save --cause "原因" --change "做了什么" --todo "待办"

# 保存文本(自动提取结构)
python3 {baseDir}/v2/cli.py save --text "内容"

# 搜索
python3 {baseDir}/v2/cli.py search "关键词"

# 今日记忆
python3 {baseDir}/v2/cli.py show

# 知识库
python3 {baseDir}/v2/cli.py knowledge

# 配置
python3 {baseDir}/v2/cli.py config --show

触发时机

主动保存当:

  • 用户分享重要信息
  • 完成有价值的任务
  • 学习新知识
  • 用户说"记住"

主动召回当:

  • 用户说"之前"、"上次"、"那个"
  • 需要回顾历史

当前配置

  • 模型:火山方舟
  • AI优化:✅ 开启
  • 联网学习:✅ 开启
  • 持久化:✅ 开启

Comments

Loading comments...