Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Memoria
v0.2.0Use Memoria as OpenClaw's durable memory slot. Triggers: "remember this", "save to memory", "what do you remember", "continue from last time", "forget this",...
⭐ 0· 74·0 current·0 all-time
byi.an@randomradio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, and runtime instructions consistently describe using Memoria as OpenClaw's durable memory and map to the listed memory_* operations. However, the SKILL.md and setup docs reference API_URL/API_KEY/EMBEDDING_API_KEY and explicit plugin installation steps that are not reflected in the registry's declared requirements (registry lists no required env vars or binaries). This mismatch between declared requirements and the documented onboarding is unexpected.
Instruction Scope
The runtime instructions focus on retrieving, storing, correcting, and managing memory via memory_* tools and are scoped to the stated purpose. The setup instructions (in references/setup.md) include network operations (git clone, and a curl | bash installer) and request API keys for cloud/local backends; these are related to enabling the plugin but broaden the surface the operator must trust.
Install Mechanism
The registry has no formal install spec, but the included setup docs recommend: (a) openclaw plugin install (safe/expected) and (b) optionally cloning from GitHub or running curl -sSL https://raw.githubusercontent.com/.../install.sh | bash. Piping a remote install script to bash is a high-risk install mechanism because it executes unreviewed code fetched at runtime. The git clone fallback is less risky but still pulls code from an external repo. The instructions do not provide cryptographic verification or pinned release URLs.
Credentials
The skill registry declares no required environment variables or primary credential, but the SKILL.md and setup docs explicitly reference MEMORIA_API_URL, API_KEY, and EMBEDDING_API_KEY for cloud and embedded modes. Asking for API keys and endpoints is proportionate to a memory plugin, but the mismatch (documentation requires secrets while registry metadata lists none) is a coherence problem and a user-config/expectation risk.
Persistence & Privilege
The skill does not request always:true and does not declare modifications to other skills or system-wide settings. It is user-invocable and allows autonomous invocation (the platform default). Nothing in the skill requests elevated persistence beyond normal plugin behavior.
What to consider before installing
This skill appears to do what it says (use Memoria as durable memory) but pay attention before installing: 1) The SKILL.md/setup docs ask you to supply MEMORIA_API_URL/API_KEY and an embedding key — those secrets are required for cloud/embedded operation but were not declared in the registry metadata; confirm where those keys will be stored and which network endpoint you will trust. 2) The setup doc suggests running a remote install script via curl | bash; avoid piping unknown scripts into your shell unless you audit the script or use a vetted release. 3) Prefer installing via the official openclaw plugin registry or a checked GitHub release and verify signatures or pinned commit SHAs where possible. 4) Review the upstream Memoria repo (https://github.com/matrixorigin/Memoria) and its install scripts before running them. 5) If you will store sensitive data, ensure the Memoria backend and API endpoint meet your security and privacy requirements. If you want higher confidence, ask the publisher to: add declared env vars to the registry metadata, include a vetted install spec, and avoid recommending curl|bash in their user-facing docs.Like a lobster shell, security has layers — review code before you run it.
latestvk970k15263f8kx31svykqc3ygn83mhk4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧠 Clawdis