Rookie Memory
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The memory skill is mostly coherent, but it under-discloses that it reads local OpenClaw/Zhiyi credentials and sends stored memory text to an external embedding API.
Install only if you trust the publisher and are comfortable with saved conversation memories being persisted locally and sent to the configured Zhiyi/BigModel embedding service. Use a scoped API key, avoid saving sensitive data, review the memory directory regularly, and run cleanup in dry-run mode before deleting anything.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
No VirusTotal findings for this skill version.
- Malicious
- 0
- Suspicious
- 0
- Harmless
- 0
- Undetected
- 64
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may use an existing provider API key from the user's OpenClaw configuration without the registry metadata making that dependency clear.
The code reads local OpenClaw auth/profile configuration to obtain a Zhiyi API key, while the provided metadata declares no required credentials or config paths.
config_path = Path('/root/.openclaw/openclaw.json') ... ZHIYI_API_KEY = profile.get('apiKey', '')Require explicit credential declaration and user consent, and use a scoped API key intended only for this memory embedding use.
Conversation memories or other stored text may leave the local workspace and be processed by a third-party model provider.
Memory text is sent to an external, environment-configurable embedding API, even though the skill description emphasizes a local ChromaDB vector store.
ZHIYI_BASE_URL = os.environ.get('ZHIYI_BASE_URL', 'https://open.bigmodel.cn/api/paas/v4') ... data = {"model": "embedding-3", "input": text} ... requests.post(url, headers=headers, json=data, timeout=30)Disclose the remote provider call clearly, let users opt out or configure it explicitly, and avoid storing highly sensitive information unless the provider is trusted.
Incorrect, sensitive, or prompt-like content saved as memory could be reused in later conversations.
The skill intentionally persists memories and reloads them into future sessions, which is purpose-aligned but creates persistent context that can affect later agent behavior.
新对话开始:执行 `bootstrap` 加载 L0 永久记忆 + L1/L2 记忆,注入相关上下文 ... 对话结束:将重要信息存入长期记忆
Review stored memories periodically, keep sensitive data out of memory, and add safeguards so retrieved memories are treated as context rather than trusted instructions.
Running cleanup may remove memories the user expected to keep.
The cleanup workflow can delete stored memory records, although it is documented, scoped to the memory store, and includes a dry-run option.
# 预览模式(不实际删除) python3 scripts/memory_manager.py cleanup --dry-run # 执行清理 python3 scripts/memory_manager.py cleanup
Use dry-run first and require explicit user approval before deleting memory records.
Users have less certainty that the packaged files and registry listing come from the same publisher identity.
The embedded metadata differs from the registry metadata shown for owner ID and slug casing, creating a provenance ambiguity for a skill that handles persistent memory and provider credentials.
"ownerId": "kn7fdbpcjk5wrh57z27cgemfh1818x21", "slug": "rookie-Memory"
Verify the publisher and prefer a package with consistent registry and embedded metadata before granting it access to memory or credentials.