Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Micro Memory
v4.0.2智能记忆系统,支持记忆添加、搜索、标签管理、强度追踪、复习提醒及统计健康报告。
⭐ 1· 91·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (intelligent local memory, search, spaced repetition, health reports) align with the included TypeScript/JS implementation. The code implements CLI commands (add/search/list/review/health/etc.), local JSON/markdown storage, linking, compression and archiving — all expected for this purpose. No unrelated credentials, binaries, or cloud integrations are requested.
Instruction Scope
SKILL.md describes local CLI usage and the repo structure; the runtime code follows those instructions and only executes local CLI operations. The instructions and code reference only the skill's store files and current working directory for exports. There are minor documentation inconsistencies (SKILL.md lists version 4.0.1 while registry is 4.0.2), but nothing expands scope to access system-wide secrets or remote endpoints.
Install Mechanism
No install spec is declared (instruction-only at registry level), and the package includes source and compiled dist files. SKILL.md suggests using npm install and npm run build if you want to build locally; there is no external download or installer that pulls code from an arbitrary URL. Risk from installation is standard for running a Node CLI (you must run npm locally to build/run if you choose).
Credentials
The skill requires no environment variables or external credentials. It reads/writes only to its own store directory (exports may be written to the current working directory). No env access beyond that is present in code. Users should avoid storing sensitive secrets in memories because those are persisted to disk and exported as JSON/CSV.
Persistence & Privilege
always is false and the skill does not request elevated system privileges. It persists data under the skill's store/ path and writes store.md and JSON files; this is expected behavior. The skill can be invoked autonomously by the agent (default), which is normal — there is no cross-skill configuration or system-level modification.
Assessment
This skill appears to do what it says: a local, file-backed memory CLI. Before installing, note: (1) it stores all memories in files under the skill's store/ directory and will write exported JSON/CSV to your current working directory — do not put passwords or private keys into memories you want kept secret; (2) SKILL.md recommends running npm install / npm run build if you want to build locally — standard Node workflow; (3) the skill does not contact external services or require credentials, so network exfiltration is not present in the reviewed code, but you should still inspect any future updates for new network calls or env var usage; (4) the documentation version number differs slightly from the registry metadata (minor); and (5) because agent autonomous invocation is allowed by default, be aware that trigger phrases could cause the skill to add/search/list memories without explicit manual CLI execution — if that is undesirable, disable autonomous invocation in your agent settings.bin/memory.js:21
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
knowledgevk977wnx464a9nqrarhh0a9pd6x84c53qlatestvk9749b44dktq9mk6h42500sc8x84cmgamemoryvk977wnx464a9nqrarhh0a9pd6x84c53q
License
MIT-0
Free to use, modify, and redistribute. No attribution required.