灵芯派记忆守护者 为OpenCode AI助手提供记忆持久化,专为灵芯派低资源环境设计,支持Gitee云端同步
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read the installed memory files, agent context, or synced repository could learn this login credential; if it is real, it may enable unauthorized device access.
The persistent memory template contains a real-looking device username and password, which is sensitive credential material rather than ordinary context.
| 用户/密码 | zmrobo / zmrobo |
Remove passwords from MEMORY.md and INDEX.md before installing or syncing, rotate the password if it is real, and keep credentials in a password manager or secret store rather than agent memory.
Sensitive notes, system details, or credentials stored in the memory directory can be uploaded to Gitee/GitHub and preserved in Git history.
When invoked, the sync script stages every file in ~/.opencode-memory and pushes it to the configured remote, with no filtering or diff review step.
git add . ... git push origin master
Use a private repository, run git status/git diff before syncing, add secret exclusions or secret scanning, and avoid syncing any files that contain passwords or private operational details.
Running the installer changes files under your home directory and creates a persistent local Git repository.
The installer is a shell script that creates a local memory directory, copies files, and initializes a Git repository. This is visible and purpose-aligned, but it is still local code execution.
mkdir -p "$MEMORY_DIR" ... cp "$SKILL_DIR/"*.md "$MEMORY_DIR/" ... git init
Review the script before running it and run it only as your normal user account, not with elevated privileges.