ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Project Trident

v1.2.0

Three-tier persistent memory architecture for OpenClaw agents. Implements LCM-backed durability, hierarchical .md file organization, and agentic signal routi...

1· 27·0 current·0 all-time
byShiva&G@shivaclaw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (persistent memory: LCM, router, .md buckets) align with the files and instructions. The SKILL.md, deployment guide, and prompt template all describe reading/writing local memory files, a SQLite LCM DB, and creating a cron-based router — behaviours expected for a local memory system.
!
Instruction Scope
The runtime instructions instruct agents to read and write workspace files (~/.openclaw/workspace, ~/.openclaw/lcm.db), copy and load an AGENT-PROMPT.md, and add WAL/Writing rules into an agent system prompt. Providing and advising to inject prompt templates into an agent/system prompt and to have a cron job that reads those prompts is functionally coherent but also a common prompt-injection vector: the skill's own templates can override or strongly shape agent/system behaviour. The pre-scan flagged a 'system-prompt-override' pattern inside SKILL.md/prompt template, which supports this concern.
Install Mechanism
Instruction-only skill with no install spec or code downloads. That is the lowest installation risk — nothing is written by an automated installer. All actions require explicit user steps (edit openclaw.json, create cron jobs, copy prompt files).
Credentials
No required environment variables or credentials declared. Optional sections mention backing up to GitHub (SSH) and using Qdrant Cloud (API key) or VPS snapshots; these are optional and reasonable for backups/semantic recall, but you should not supply keys unless you intend to use those integrations. The skill does instruct reading local config files (openclaw.json, lcm.db) which is proportional for a local memory manager but is sensitive data so treat accordingly.
Persistence & Privilege
Skill metadata does not set always:true and is user-invocable. However, the documentation explicitly tells users how to create autonomous cron jobs (Layer 0.5) that will run periodically and load prompt files/templates. While autonomous cron agents are necessary for the advertised feature, this increases the attack surface if the prompt/template is malicious or contains unsafe directives.
Scan Findings in Context
[system-prompt-override] expected: The skill ships a Layer 0 agent prompt template and explicitly recommends adding WAL and routing rules to the agent/system prompt. Providing prompt templates is expected for a memory router, but the pattern matches a prompt-injection heuristic: the template instructs agents how to behave and suggests adding items to system prompts which can alter agent privileges and behavior. Treat the template as untrusted until reviewed.
What to consider before installing
This skill is coherent with its stated goal (local durable memory) but contains template prompts and instructions that tell you to modify or load agent/system prompts and to create autonomous cron agents that will read those prompts. Before installing: 1) Manually inspect the scripts/AGENT-PROMPT.md and WAL protocol text — do not blindly paste into your system prompt. 2) Run Trident in an isolated/test workspace first (not your main environment) and avoid giving optional external API keys (GitHub, Qdrant) until needed. 3) If you create the cron job, limit its session/permissions and review its payloads; consider running it under a dedicated user account. 4) Backup ~/.openclaw/lcm.db and memory files before enabling and test behavior with harmless inputs. If you are not comfortable reviewing prompt templates yourself, ask a trusted developer to audit AGENT-PROMPT.md for directives that would escalate privileges or exfiltrate data.
!
references/deployment-guide.md:239
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

RAGvk974rfygshef8bhrhp0bq78whn844s8kidentityvk974rfygshef8bhrhp0bq78whn844s8klatestvk97ec0n0r2qfw318vvwtz7xg3n84556zlearningvk974rfygshef8bhrhp0bq78whn844s8klosslessvk974rfygshef8bhrhp0bq78whn844s8kmemoryvk974rfygshef8bhrhp0bq78whn844s8kself-improvementvk974rfygshef8bhrhp0bq78whn844s8ksemanticvk974rfygshef8bhrhp0bq78whn844s8k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments