Skillv2.5.0

ClawScan security

memory-pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 3:41 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code generally matches a local semantic-search tool, but there are notable inconsistencies and privileges (especially around required environment variables, a surprising primary credential, and optional external rerank calls) that you should review before installing.
Guidance: This skill appears to implement a local FAISS-based semantic search and is mostly coherent with that purpose, but take these precautions before installing or running it: 1) Do not treat HOME as a credential — the manifest wrongly marks HOME as the primary credential. 2) Review and create your own .env; do not reuse any bundled state or indexes. 3) If you enable reranking (MEMORY_PRO_ENABLE_RERANK), candidate sentences will be sent to the configured external endpoint (MEMORY_PRO_RERANK_ENDPOINT) and could expose sensitive memory content — disable rerank or omit the API key if you want to keep all data local. 4) Check all data paths (MEMORY_PRO_DATA_DIR, OPENCLAW_WORKSPACE) to confirm the skill will only index the files you expect; the code will traverse into your workspace and core files (e.g., MEMORY.md, AGENTS.md). 5) Be cautious running validation/start scripts: validate_phase1.sh attempts systemctl --user restart memory-pro.service and start.sh rebuilds the index and then runs the service locally. Run these scripts in an isolated environment or container first. 6) Prefer running the Python code in a sandbox (container or VM), inspect .env and rerank settings, and rebuild the index from your own corpus rather than using any prepackaged artifacts. If you want, provide the skill author or packaging with corrections (do not mark HOME as primary credential and make rerank vars optional) before using it with real personal data.

Review Dimensions

Purpose & Capability: noteThe name/description (local semantic search over memory files) matches the included scripts: FAISS index build, SentenceTransformer encoding, BM25 helpers, and a FastAPI search server. Requiring index path, data dir, BM25 and meta paths is reasonable. However, marking HOME as the primary credential is incoherent (HOME is not a secret credential) and many env vars are declared required even though the code provides defaults for them. Overall capability is consistent with the stated purpose, but the environment/credential declarations are disproportionate or mislabeled.
Instruction Scope: concernRuntime instructions and included scripts read user workspace files (core files like MEMORY.md, directories under OPENCLAW_WORKSPACE, extra md dirs) and write state/index files. This is expected for a memory indexer, but the preprocess path resolution (_resolve_path) can join paths to '../../../../' relative to the skill, meaning the skill will traverse into the user workspace and ingest many files. The validation script (validate_phase1.sh) also attempts systemctl --user restart memory-pro.service, which is outside a normal local-only skill lifecycle and could have side effects on the user's system. Additionally, the rerank flow will POST candidate sentences to third-party endpoints (jina or an openai-compatible endpoint) if reranking is enabled — this can transmit user memory content externally.
Install Mechanism: okNo install spec is provided (instruction-only with shipped scripts). That means nothing is automatically downloaded from external URLs during install — lower installation risk. However, the skill includes executable scripts that, if run (e.g., start.sh, validate_phase1.sh), will execute Python code and shell commands locally.
Credentials: concernThe skill declares a very large set of required env vars and marks HOME as the primary credential, which is misleading. Many of the env vars (RERANK API_KEY, ENDPOINT, PROVIDER, PORT, various tunables) are either optional in code or have sensible defaults. The rerank-related variables in particular have security implications because they permit sending candidate sentences to external services; yet SKILL.md lists RERANK API key and endpoint as required. This over-declaration and the mislabeling of HOME as the main credential are disproportionate and inconsistent with the code.
Persistence & Privilege: okThe skill does not set always:true and does not request system-wide persistent privileges in its manifest. It includes scripts that create and write local index/state files under the skill/workspace paths, which is expected for this functionality. The validate script's use of systemctl --user is noteworthy but does not appear to be enforced by the skill manifest itself.