ClawHub

Claw Store Skill

v1.0.0

Sovereign, recoverable memory for AI agents backed by Jackal decentralized storage.

0· 312·1 current·1 all-time
by@regan-milne
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (recoverable agent memory backed by Jackal) match the implementation: the client encrypts data client-side and POSTs/GETs to the declared BASE_URL. Requiring JACKAL_MEMORY_API_KEY is proportional to accessing a remote storage API.
Instruction Scope
SKILL.md instructions align with the client.py implementation: it reads/writes an encryption key under ~/.config/jackal-memory/, reads JACKAL_MEMORY_API_KEY and optional JACKAL_MEMORY_ENCRYPTION_KEY, and provides save/load/usage commands. The instructions do not ask the agent to read unrelated files or exfiltrate other environment variables.
Install Mechanism
No install spec is included; this is an instruction-plus-script package. The only runtime dependency is the standard cryptography Python package (SKILL.md instructs pip install cryptography). No external downloads, archive extraction, or obscure install URLs are used.
Credentials
Only JACKAL_MEMORY_API_KEY (required) and JACKAL_MEMORY_ENCRYPTION_KEY (optional override) are used. This is proportional, but users must understand that the API key grants access to the remote service and that metadata (key names, sizes, CIDs) will be visible to that service even though content is AES-256-GCM-encrypted client-side.
Persistence & Privilege
The skill is not forced-always, is user-invocable, and does not modify other skills or system-wide settings. It writes a key file only under ~/.config/jackal-memory/ which is within its stated scope.
Assessment
This package appears to do what it says: it encrypts memories locally and sends ciphertext to a remote service. Before installing, consider: (1) Trust the remote host (https://web-production-5cce7.up.railway.app) because while it cannot read your plaintext, it will see key names, sizes, and CIDs and will accept requests guarded by your JACKAL_MEMORY_API_KEY. (2) Securely back up your encryption key — losing it makes data unrecoverable; leaking it lets an attacker decrypt stored memories. The client prints the key on keygen and will create ~/.config/jackal-memory/key, so avoid running keygen in shared logs or shells. (3) If you need stronger assurance, self-host the server endpoint or audit the server code; you can also review the included client.py (provided) to confirm no hidden behavior. (4) Do not store long-lived secrets in memories unless you accept the risk profile described above.

Like a lobster shell, security has layers — review code before you run it.

latestvk972m7yrrpp371846ttsmznj5h8211ww

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
EnvJACKAL_MEMORY_API_KEY

Comments