Back to skill
Skillv1.0.1
ClawScan security
Simplemem · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 21, 2026, 12:05 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested resources and code match a memory wrapper that uses OpenAI embeddings when available and a local JSON fallback otherwise; nothing in the bundle appears to perform unrelated or covert actions.
- Guidance
- This skill appears to do what it claims, but consider the following before installing: 1) The wrapper will use your OPENAI_API_KEY to call external APIs (billing and data-sharing implications) — consider using a dedicated key or billing alerts. 2) SKILL.md recommends 'pip install simplemem' or cloning GitHub; review the upstream PyPI package and/or repository code before installing, because installing a pip package runs code from that package. 3) The manifest mentions a PowerShell CLI (simplemem.ps1) in docs but that file is not included — expect the included Python wrapper to be the provided functionality. 4) Memories are persisted locally under the skill's data directory (data/memories.json and possibly a lancedb); if this contains sensitive data, store it securely or clear it as needed. 5) If you need higher assurance, audit the upstream project (https://github.com/aiming-lab/SimpleMem) or run installations in an isolated environment (container/VM) first.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (python), and the single required env var (OPENAI_API_KEY) align with a semantic-memory skill that optionally calls OpenAI for embeddings. The included Python wrapper imports a 'simplemem' package if present, otherwise falls back to local JSON — this is coherent with the stated purpose.
- Instruction Scope
- noteSKILL.md stays on-topic (install simplemem, set OPENAI_API_KEY, add/retrieve memories). Minor inconsistency: SKILL.md and README mention a PowerShell CLI (simplemem.ps1) and a PS usage example, but the manifest does not include simplemem.ps1. Also, the instructions recommend pip installing 'simplemem' or cloning the GitHub repo — installing that package will run third-party code (expected for this skill) so review the upstream package before installing.
- Install Mechanism
- noteThere is no automatic install spec in the registry (instruction-only), so nothing will be written automatically. The README suggests 'pip install simplemem' or cloning a GitHub repo (both common). That means the real runtime behavior depends on the external PyPI/GitHub package you choose to install; installing arbitrary pip packages has standard moderate risk and should be reviewed prior to use.
- Credentials
- okOnly OPENAI_API_KEY is required and used by the wrapper for the full feature set. That is proportionate for a memory system that uses OpenAI embeddings. No other secrets or unrelated env vars are requested.
- Persistence & Privilege
- okThe wrapper creates and writes to a local data directory (data/memories.json and a lancedb path if the upstream library is used). always:false and no system-wide config changes are requested. Persistent local storage of memories is expected for this skill; ensure you are comfortable with local retention of user data.