ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MemOS Dreaming

v1.0.0

Automatically consolidates daily memories by scoring and filtering entries from MemOS SQLite and daily logs, writing top insights to MEMORY.md each morning.

0· 22·0 current·0 all-time
by@rongtianhua
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description claim to consolidate MemOS SQLite + daily logs and write to MEMORY.md; the included Python scripts read ~/.openclaw/memos-local/memos.db and ~/.openclaw/workspace memory files and write DREAMS.md / MEMORY.md / AUDIT.md / promoted.jsonl under ~/.openclaw/workspace — these file and path accesses are proportionate to the stated purpose and no unrelated services/credentials are requested.
Instruction Scope
SKILL.md instructs running the two Python scripts (dry-run vs --apply) and describes cron scheduling. The runtime instructions and code match: they scan the SQLite DB and recent memory markdown files and generate drafts/audits. However the scripts include an '--apply' mode (and audit --apply) that will modify MEMORY.md and perform automatic cleanups; this is expected given the description but is potentially destructive if used without review.
Install Mechanism
No install spec (instruction-only) — lowest install risk. The skill provides Python scripts that will be executed directly; there are no downloads from external URLs or package installs. Users should ensure they run these local scripts with a trusted Python interpreter.
Credentials
The skill requests no environment variables, no external credentials, and only operates on local files within the user's home (~/.openclaw). That access is appropriate for a local memory-consolidation tool.
Persistence & Privilege
The skill is not marked 'always:true' and does not attempt to modify other skills' configuration. It suggests cron scheduling but does not appear to auto-register itself; autonomous invocation remains platform-default. It will create/modify files under its own workspace area (DREAMS.md, MEMORY.md, .memos-dreaming), which is within its scope.
What to consider before installing
What to consider before installing/running this skill: - Back up your data first: make manual backups of ~/.openclaw/workspace/MEMORY.md and ~/.openclaw/memos-local/memos.db before running this skill or audit with --apply. The scripts will write to MEMORY.md and the audit's --apply mode can remove/modify entries. - Run dry-run first: use the default (no --apply) to produce DREAMS.md and AUDIT.md, then manually inspect those files before allowing changes. - Review the shipped code: the package has no published homepage or known owner. I found multiple code-quality issues in the audit script (e.g., typos such as a stray space before strftime and an incomplete statement toward the end of the file) that will likely cause runtime errors; fix or review the code before using --apply. - No network exfiltration seen: the scripts operate locally (SQLite and markdown files) and contain no obvious HTTP/network calls or credential exfiltration. Still, because the source/owner is unknown, review the full scripts for any later modifications before trusting them. - Prefer local execution under controlled conditions: run the scripts as your user (not root), inspect outputs, and optionally run in a sandbox or VM if you want extra isolation. If you want, I can: - point out specific lines to fix in the audit script so it runs cleanly, or - produce a short checklist of the exact backup commands to run before first execution.

Like a lobster shell, security has layers — review code before you run it.

latestvk979fwjb6dqs54vaf1n4w7mg358531ef

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments