Back to skill
Skillv2.0.0
ClawScan security
Rookie Memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 12, 2026, 4:56 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill appears to implement a plausible three-tier memory manager, but it reads OpenClaw configuration files and attempts to obtain API keys and call an external embedding endpoint without declaring those requirements—this mismatch and the hardcoded platform paths are concerning.
- Guidance
- This skill mostly does what it says (manages short/medium/long memories and uses embeddings + ChromaDB), but it also looks for OpenClaw platform credentials and will call an external embedding API by default. Before installing or running it: (1) inspect scripts/memory_manager.py yourself and confirm you're comfortable with it reading /root/.openclaw/openclaw.json (or run it in an isolated container or sandbox); (2) if you don't want the skill to use external providers, set ZHIYI_API_KEY to an empty value and/or change the embedding call to a local/no-op; (3) ensure the workspace path and virtualenv references are appropriate for your environment (the code uses hardcoded /root/.openclaw paths); (4) audit the OpenClaw config file for secrets and restrict permissions if necessary. If you cannot verify these things, treat the skill as potentially risky and avoid running autosave/cleanup operations that write/read platform config or send data externally.
Review Dimensions
- Purpose & Capability
- concernThe skill's stated purpose (short/medium/long-term memory management) justifies use of embeddings and a local vector DB (ChromaDB). However, the code attempts to read /root/.openclaw/openclaw.json to extract a ZHIYI API key and defaults to calling an external embedding service (open.bigmodel.cn). The registry metadata declares no required environment variables or config paths, so accessing the platform config and external model provider is disproportionate to what was declared.
- Instruction Scope
- concernSKILL.md instructs running the included script and mentions using a venv with chromadb, and file IO under a workspace memory folder. The runtime code goes further: it will try to read OpenClaw's config file to extract API keys and will POST text to an external embedding API. Those actions (reading platform config, using discovered credentials, and outbound network calls) are not clearly documented in SKILL.md and expand the agent's scope beyond local memory management.
- Install Mechanism
- noteThere is no install spec (instruction-only + included script), so nothing is automatically downloaded or installed. The Python script depends on requests and chromadb; SKILL.md examples reference a specific virtualenv path. Lack of declared dependencies is a quality/operational issue but not an installation red flag by itself.
- Credentials
- concernRegistry metadata lists no required environment variables or config paths, yet the code reads environment variables (ZHIYI_BASE_URL, ZHIYI_API_KEY) and, if not set, opens /root/.openclaw/openclaw.json to find API keys. This accesses potentially sensitive credentials belonging to the platform or other skills without disclosure. The script will use any discovered API key to call an external embedding service, which could lead to credential use/exfiltration if unexpected.
- Persistence & Privilege
- noteThe skill does not request always: true and is user-invocable. It writes memory files under a workspace (default /root/.openclaw/workspace/memory) and creates collections in a local ChromaDB path. That per-skill storage is expected. The concern is that it also reads a platform-level config file (/root/.openclaw/openclaw.json), touching configuration outside its own storage scope.