ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jackal Memory

v0.1.0

Sovereign, recoverable memory for AI agents backed by Jackal decentralized storage.

1· 390·0 current·0 all-time
by@regan-milne
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, SKILL.md, and the included client.py align: the skill stores and restores memory via an HTTP API and requires JACKAL_MEMORY_API_KEY. A minor note: the BASE_URL and homepage point to a Railway deployment (web-production-5cce7.up.railway.app) rather than an official 'jackalprotocol' domain; this is not incoherent but is worth verifying with the author/operator.
Instruction Scope
Runtime instructions are scoped to save/load/provision operations against the stated API and to reading JACKAL_MEMORY_API_KEY. The instructions do cause agent memory content (plaintext) to be transmitted to the external service; they do not read local files or unrelated environment variables. Verify you are comfortable sending sensitive memory to that external host.
Install Mechanism
No install spec; this is instruction-only with a small Python stdlib client included. Nothing is downloaded or executed on install beyond the provided client.
Credentials
Only a single environment variable (JACKAL_MEMORY_API_KEY) is required, which matches the API-based behavior. No unrelated credentials or config paths are requested.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent system-wide privileges or modify other skills' configurations.
Assessment
Before installing: confirm you trust the remote service at https://web-production-5cce7.up.railway.app because all saved memory content is sent there in plaintext via the provided client. If you handle secrets or personal data, consider: (1) testing with non-sensitive data first, (2) rotating any API key you provide, (3) checking whether the API key can be scoped or revoked, (4) asking the publisher for proof this is an official Jackal-backed service or for self-hosting instructions, and (5) reviewing the included client.py (it’s small and uses only stdlib) and your agent's logs to avoid accidental leakage of secrets. If you are uncomfortable trusting the endpoint, do not provide the API key or consider self-hosting an equivalent service.

Like a lobster shell, security has layers — review code before you run it.

decentralizedvk977a4ex9bnjksakphpfvaf8js81x4xwlatestvk977a4ex9bnjksakphpfvaf8js81x4xwmemoryvk977a4ex9bnjksakphpfvaf8js81x4xwpersistencevk977a4ex9bnjksakphpfvaf8js81x4xw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
EnvJACKAL_MEMORY_API_KEY

Comments