灵芯派记忆守护者 为OpenCode AI助手提供记忆持久化,专为灵芯派低资源环境设计,支持Gitee云端同步
PassAudited by VirusTotal on Apr 30, 2026.
Overview
Type: OpenClaw Skill Name: opencode-lingxin-memory1 Version: 1.0.0 The skill bundle is designed to provide persistent memory for an AI agent on 'SmartPi' hardware by syncing local markdown files to a Gitee repository. It is classified as suspicious because INDEX.md and MEMORY.md contain plaintext system credentials (zmrobo/zmrobo) and network details, which the sync.sh script is designed to automatically commit and push to a remote Git server. While this appears to be a convenience feature for the user, it creates a high risk of accidental credential exposure if the user configures a public repository.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read the installed memory files, agent context, or synced repository could learn this login credential; if it is real, it may enable unauthorized device access.
The persistent memory template contains a real-looking device username and password, which is sensitive credential material rather than ordinary context.
| 用户/密码 | zmrobo / zmrobo |
Remove passwords from MEMORY.md and INDEX.md before installing or syncing, rotate the password if it is real, and keep credentials in a password manager or secret store rather than agent memory.
Sensitive notes, system details, or credentials stored in the memory directory can be uploaded to Gitee/GitHub and preserved in Git history.
When invoked, the sync script stages every file in ~/.opencode-memory and pushes it to the configured remote, with no filtering or diff review step.
git add . ... git push origin master
Use a private repository, run git status/git diff before syncing, add secret exclusions or secret scanning, and avoid syncing any files that contain passwords or private operational details.
Running the installer changes files under your home directory and creates a persistent local Git repository.
The installer is a shell script that creates a local memory directory, copies files, and initializes a Git repository. This is visible and purpose-aligned, but it is still local code execution.
mkdir -p "$MEMORY_DIR" ... cp "$SKILL_DIR/"*.md "$MEMORY_DIR/" ... git init
Review the script before running it and run it only as your normal user account, not with elevated privileges.