Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
memory-pro
v2.5.0This skill provides semantic search over your memory files using a local vector database.
⭐ 0· 623·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (local semantic search over memory files) match the included code (indexing, vector search, hybrid retrieval, CLI client). However the manifest marks many MEMORY_PRO_* and OPENCLAW_* environment variables as required (and labels them all as "Credential used by memory-pro") even though many are optional tuning/config values (rerank provider, rerank API key, ports, weights, flags). Marking HOME as the primary credential is incorrect: HOME is a path, not a secret credential. The large list of required env vars is disproportionate to a minimal local memory-search skill.
Instruction Scope
Runtime code and scripts read many user workspace files (memory markdowns, core files like MEMORY.md/AGENTS.md/USER.md), rebuild local FAISS indexes, and expose a local HTTP API. More importantly, the rerank path can post candidate documents (user memory sentences) to external rerank endpoints (e.g., Jina or an OpenAI-compatible endpoint) if reranking is enabled and configured—this allows exfiltration of indexed content. Validation script (v2/validate_phase1.sh) calls 'systemctl --user restart memory-pro.service', which tries to control a systemd user service (a scope/privilege escalation beyond simple local indexing).
Install Mechanism
No install spec is provided (instruction-only). The skill ships Python scripts and shell helpers but does not download arbitrary binaries from remote URLs during install. This is lower risk from an installation perspective.
Credentials
The manifest declares a very large number of required environment variables (many are tuning flags or optional: rerank provider/endpoint/API key/model, MMR flags, BM25 paths, etc.). Several of these (RERANK_API_KEY, RERANK_ENDPOINT, RERANK_PROVIDER) enable sending user data to external services if set—yet they are listed as required. Declaring HOME as the primary credential is incorrect and misleading. Required config paths include files under /skills/... and /tmp which increases the surface of files the skill expects to access.
Persistence & Privilege
The skill does not request always:true, and normally does not grant extra autonomous privileges — that is fine. However the validation script attempts to restart a user systemd service (systemctl --user restart memory-pro.service) which modifies system-level state. The start script also rebuilds the index and starts a local HTTP server (uvicorn) — normal for a service but it means the skill will write files (index, sentences.txt, bm25 payload) to disk and listen on a port. Combined with the rerank/external-call path, that increases the blast radius.
Scan Findings in Context
[pre-scan-injection-none] expected: Static pre-scan reported no injection signals. The absence of regex flags does not rule out data exfiltration risk because rerank.py explicitly POSTs candidate documents to external endpoints when enabled.
What to consider before installing
This package appears to implement a legitimate local semantic-search service, but it contains several red flags you should evaluate before installing or running it: 1) The manifest marks many environment variables as "required" (and calls them credentials) even though most are optional tuning flags — don't populate secrets blindly. 2) If you enable reranking (MEMORY_PRO_ENABLE_RERANK or set RERANK_PROVIDER/ENDPOINT/API_KEY), the service will send candidate sentences (your memory text) to the configured external endpoint — treat that as potential data exfiltration. 3) The code reads files across your workspace (memory markdowns and core files) and will write indexes and tmp files; review those paths and remove any bundled state before use. 4) Validation scripts try to restart a user systemd service (systemctl --user restart), which modifies system state — avoid running validation scripts that alter services unless you trust and inspected them. Recommended actions: run this in an isolated environment (container or throwaway VM), create a minimal .env that points to a test memory directory (not your real workspace), do not set rerank-related env vars or external endpoints unless you understand the data flows, and review/limit the configured MEMORY_PRO_DATA_DIR and core file list before building the index. If you need this skill but lack confidence, ask the publisher to: a) mark only truly required env vars as required, b) document rerank behavior clearly, and c) avoid requiring systemctl in validation scripts.Like a lobster shell, security has layers — review code before you run it.
latestvk974h5x54raayndvwqhm0dstes82zmxj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsbash, lsof, openclaw, python, python3
EnvHOME, MEMORY_PRO_API_URL, MEMORY_PRO_BM25_PATH, MEMORY_PRO_BM25_WEIGHT, MEMORY_PRO_CANDIDATE_POOL, MEMORY_PRO_CORE_FILES, MEMORY_PRO_DAILY_SCOPE, MEMORY_PRO_DATA_DIR, MEMORY_PRO_DUAL_HIT_BONUS, MEMORY_PRO_ENABLE_MMR, MEMORY_PRO_HARD_MIN_SCORE, MEMORY_PRO_INDEX_PATH, MEMORY_PRO_LENGTH_NORM_ALPHA, MEMORY_PRO_LENGTH_NORM_ANCHOR, MEMORY_PRO_META_PATH, MEMORY_PRO_MMR_LAMBDA, MEMORY_PRO_MMR_SIM_THRESHOLD, MEMORY_PRO_MODE, MEMORY_PRO_PORT, MEMORY_PRO_RECENCY_HALF_LIFE_DAYS, MEMORY_PRO_RECENCY_WEIGHT, MEMORY_PRO_RERANK_API_KEY, MEMORY_PRO_RERANK_BLEND, MEMORY_PRO_RERANK_ENDPOINT, MEMORY_PRO_RERANK_MODEL, MEMORY_PRO_RERANK_PROVIDER, MEMORY_PRO_RERANK_SAMPLE_PCT, MEMORY_PRO_RERANK_TIMEOUT_MS, MEMORY_PRO_RERANK_TOPN, MEMORY_PRO_SCOPE_STRICT, MEMORY_PRO_SENTENCES_PATH, MEMORY_PRO_TIMEOUT, MEMORY_PRO_VECTOR_WEIGHT, OPENCLAW_HOME, OPENCLAW_NETWORK_DRIVE, OPENCLAW_WORKSPACE
Config.env, /skills/memory-pro/data/INDEX.json, /skills/memory-pro/data/state.json, /skills/memory-pro/v2/eval_queries.json, /tmp/memory_pro_benchmark.json, /tmp/memory_pro_hybrid.json, /tmp/memory_pro_vector.json, INDEX.json, args.json, eval_queries.json, r.json, response.json, state.json, v2/eval_queries.json
Primary envHOME
Environment variables
HOMErequired— Credential used by memory-pro.MEMORY_PRO_API_URLrequired— Credential used by memory-pro.MEMORY_PRO_BM25_PATHrequired— Credential used by memory-pro.MEMORY_PRO_BM25_WEIGHTrequired— Credential used by memory-pro.MEMORY_PRO_CANDIDATE_POOLrequired— Credential used by memory-pro.MEMORY_PRO_CORE_FILESrequired— Credential used by memory-pro.MEMORY_PRO_DAILY_SCOPErequired— Credential used by memory-pro.MEMORY_PRO_DATA_DIRrequired— Credential used by memory-pro.MEMORY_PRO_DUAL_HIT_BONUSrequired— Credential used by memory-pro.MEMORY_PRO_ENABLE_MMRrequired— Credential used by memory-pro.MEMORY_PRO_HARD_MIN_SCORErequired— Credential used by memory-pro.MEMORY_PRO_INDEX_PATHrequired— Credential used by memory-pro.MEMORY_PRO_LENGTH_NORM_ALPHArequired— Credential used by memory-pro.MEMORY_PRO_LENGTH_NORM_ANCHORrequired— Credential used by memory-pro.MEMORY_PRO_META_PATHrequired— Credential used by memory-pro.MEMORY_PRO_MMR_LAMBDArequired— Credential used by memory-pro.MEMORY_PRO_MMR_SIM_THRESHOLDrequired— Credential used by memory-pro.MEMORY_PRO_MODErequired— Credential used by memory-pro.MEMORY_PRO_PORTrequired— Credential used by memory-pro.MEMORY_PRO_RECENCY_HALF_LIFE_DAYSrequired— Credential used by memory-pro.MEMORY_PRO_RECENCY_WEIGHTrequired— Credential used by memory-pro.MEMORY_PRO_RERANK_API_KEYrequired— Credential used by memory-pro.MEMORY_PRO_RERANK_BLENDrequired— Credential used by memory-pro.MEMORY_PRO_RERANK_ENDPOINTrequired— Credential used by memory-pro.MEMORY_PRO_RERANK_MODELrequired— Credential used by memory-pro.MEMORY_PRO_RERANK_PROVIDERrequired— Credential used by memory-pro.MEMORY_PRO_RERANK_SAMPLE_PCTrequired— Credential used by memory-pro.MEMORY_PRO_RERANK_TIMEOUT_MSrequired— Credential used by memory-pro.MEMORY_PRO_RERANK_TOPNrequired— Credential used by memory-pro.MEMORY_PRO_SCOPE_STRICTrequired— Credential used by memory-pro.MEMORY_PRO_SENTENCES_PATHrequired— Credential used by memory-pro.MEMORY_PRO_TIMEOUTrequired— Credential used by memory-pro.MEMORY_PRO_VECTOR_WEIGHTrequired— Credential used by memory-pro.OPENCLAW_HOMErequired— Credential used by memory-pro.OPENCLAW_NETWORK_DRIVEoptional— Optional network drive/docs root.OPENCLAW_WORKSPACErequired— Credential used by memory-pro.