Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Memory Crystal Private

v0.7.33

Search and manage the shared memory crystal. Use when user says "do you remember", "search memory", "remember this", "forget that", "memory status", "what do...

⭐ 0· 275·0 current·0 all-time

byParker Todd Brooks@parkertoddbrooks

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

high confidence

Purpose & Capability

The name/description promise a local, private shared-memory tool, but the repository and SKILL.md reference cloud relays, hosted MCP servers, OAuth, and multiple external embedding providers. The registry metadata declares no required env vars or credentials, yet the docs and code reference OPENAI_API_KEY, CRYSTAL_REMOTE_TOKEN, CRYSTAL_RELAY_URL, 1Password SA tokens, and other secrets — this mismatch is disproportionate and unexplained.

Instruction Scope

SKILL.md instructs the agent to run system-level install commands (npm -g), scaffold ~/.ldm/, install cron jobs, deploy hooks into other tools (Claude Code Stop hook, OpenClaw plugin), discover and read existing AI session files, and optionally install LDM OS and a local LLM. These runtime steps touch other tools' configuration, read local transcripts and workspace files, and install persistent capture processes — much broader scope than a simple 'search' helper.

ℹ

Install Mechanism

There is no formal install spec in registry metadata (instruction-only), but SKILL.md suggests installing from npm (npm install -g @wipcomputer/memory-crystal) or via an LDM OS installer. Installing a global CLI from npm is normal for a CLI tool, but the package includes many server/worker components (Cloudflare Worker, relay code) and native Cron/LaunchAgent setup. Because the repo contains executable scripts and cloud worker code, a code review is warranted before running the global install.

Credentials

Registry lists no required environment variables, but the documentation and code reference many environment variables and secrets (OPENAI_API_KEY, GOOGLE_API_KEY, CRYSTAL_RELAY_TOKEN/CRYSTAL_REMOTE_TOKEN, CRYSTAL_OLLAMA_HOST, 1Password SA tokens, etc.). The skill's declared requirements do not match what the runtime expects; it will need access to secrets and possibly a Cloudflare token if using hosted/self-hosted relays.

Persistence & Privilege

always:false (good), but the skill's install flow requests persistent system presence: cron jobs (capture every minute), LaunchAgents or background MLX servers, and hooks that modify other tools' config (~/.claude/settings.json, OpenClaw extension installs). It also proposes syncing entire ~/.ldm/ trees and setting up relay endpoints. The skill modifies other tools' configurations and sets up background processes — this is high-impact and should be approved by the user explicitly.

Scan Findings in Context

[system-prompt-override] unexpected: SKILL.md contains instructions that ask an agent to read install docs and follow step-by-step commands and to 'explain' and 'run dry-run' which can act as a prompt-injection pattern; this could be used to influence agent behavior beyond installing the tool. Treat SKILL.md text as potentially instructive to the agent and review carefully.

What to consider before installing

Plain-language next steps and cautions: - This package installs a local memory system that will capture and persist AI conversations automatically (cron + hooks) and can sync encrypted data via a cloud relay; installing it will add persistent processes and change other tools' configs (Claude Code, OpenClaw). - There are clear mismatches: the registry lists no required secrets, but the docs and code expect API keys and relay tokens (OpenAI, Google, Ollama host, Cloudflare tokens, 1Password SA token). Do not assume 'no env vars' — the tool will ask for or try to access keys. - The SKILL.md also contains prompt-like instructions that could influence an agent's behavior (prompt-injection pattern). Treat those agent-facing instructions cautiously and inspect before letting an agent run them autonomously. What you should do before installing: 1. Review the repo (or at least these files): SKILL.md, src/worker.ts, src/worker-mcp.ts, src/cc-poller.ts, src/cc-hook.ts, src/openclaw.ts, RELAY.md, README*.md, and scripts/ to understand what will run and what network endpoints are used. 2. Verify the package source before running npm install -g. Prefer installing in a disposable VM or container first. Avoid running global installs as root on your main machine until audited. 3. If you plan to enable multi-device sync or hosted relay, audit the relay configuration and tokens (Cloudflare Worker steps) and prefer self-hosting the relay if you need sovereignty. 4. Expect the installer to create ~/.ldm/ and cron/LaunchAgent entries; back up sensitive files and ensure you’re comfortable with persistent capture. Use the provided 'private mode' toggles and test 'crystal init --dry-run' first. 5. If you do not want any data to leave your device, ensure you set embedding provider to a local option (Ollama/MLX) and do not configure CRYSTAL_RELAY_URL/CRYSTAL_REMOTE_TOKEN or any cloud MCP options. 6. Consider source-reviewing the code that handles encryption/sync (src/crypto.ts, src/worker.ts) to confirm encryption claims (AES-256-GCM + HMAC-SHA256) and to find where keys are stored or read. If you want, I can: - Summarize the specific places in the code where network calls, key reads, or file-system writes happen. - Produce a short checklist of exact commands to run in a sandbox to observe behavior without network access. Confidence: high — the mismatches between declared requirements and runtime instructions are clear and meaningful.

✗

src/bridge.ts:20