ClawHub

Jackal Skill

v1.0.1

Sovereign, recoverable memory for AI agents backed by Jackal decentralized storage.

0· 317·0 current·0 all-time
by@regan-milne
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description ask for a networked memory store; the skill requires a JACKAL_MEMORY_API_KEY and the client.py contacts the declared BASE_URL to save/load data. The env var and endpoints align with the stated purpose.
Instruction Scope
SKILL.md and client.py keep scope to storing and retrieving encrypted blobs. The client enforces client-side AES-256-GCM encryption before network transmission. Note: the client auto-generates and writes an encryption key to ~/.config/jackal-memory/key and prints it to stderr (one-time message); copying that key between machines as instructed can leak the key if not done carefully.
Install Mechanism
No install spec / no archive downloads. The only declared dependency is the cryptography Python package (pip install cryptography), which is appropriate for local AES-GCM encryption. The package choice and lack of external installers are proportionate.
Credentials
Only JACKAL_MEMORY_API_KEY is required (with an optional JACKAL_MEMORY_ENCRYPTION_KEY override). These env vars are directly relevant to the described service; no unrelated credentials or system paths are requested.
Persistence & Privilege
The skill is not always-loaded and can be invoked by the user. It writes its own key file under the user's ~/.config/jackal-memory directory (expected for this use) and does not request broader system or other-skill configuration access.
Assessment
This skill appears internally coherent, but you should verify you trust the remote service before use. Practical precautions: (1) confirm the BASE_URL/host is legitimate (the bundle points to a railway.app deployment with no other homepage or owner info); (2) treat the encryption key as highly sensitive—do not paste it into chats or public logs and be careful when copying it between machines since the client prints it and writes it to disk; (3) consider auditing the remote service or self-hosting if you plan to store sensitive secrets in memory; (4) running the client will make outbound requests to the stated URL using your API key—only proceed if you trust that endpoint.

Like a lobster shell, security has layers — review code before you run it.

latestvk97efsdqnwcsryzdcrw3j55hph821xyq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
EnvJACKAL_MEMORY_API_KEY

Comments