ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

River Memory

v1.0.0

Store and semantically search text memories locally using Ollama with automatic management and optimization.

0· 256·0 current·0 all-time
by@simon-she
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code's purpose (store/search local embeddings via Ollama) matches the skill description. However, the declared metadata lists no required binaries while index.js spawns the external 'curl' command — an undeclared dependency. Also SKILL.md mentions a storage file path but the code uses different paths (Python files use ~/.openclaw/workspace/memory/vector-memory.json while index.js uses ./memory/vector-memory.json), and SKILL.md has a small filename mismatch ('vector memory.json' vs 'vector-memory.json'). These mismatches are incoherent with the registry metadata and documentation.
!
Instruction Scope
SKILL.md describes using local Ollama and the nomic-embed-text model and a memory file; the code follows that. But import_memories.py explicitly reads several workspace files (MEMORY.md, SOUL.md, USER.md, IDENTITY.md) and imports their contents — SKILL.md did not enumerate these inputs. index.js and the Python CLI send user/workspace content to the local Ollama HTTP endpoint; while local-only, this means the skill will read and transmit potentially sensitive workspace files to the local service. That behavior is broader than the SKILL.md's brief description and should be obvious to users.
Install Mechanism
This is an instruction-only skill (no installer) which reduces disk-level risk. However, index.js relies on an external 'curl' binary invoked via child_process.spawn with shell:true rather than using an internal HTTP client; this creates both an undeclared dependency and an unnecessary use of a shell, increasing risk of command-line injection or unexpected behavior if inputs are not properly escaped.
Credentials
The skill requests no environment variables or external credentials, which is proportionate. It does, however, read files from the user workspace (~/.openclaw/workspace and process.cwd()/memory) that may contain sensitive personal data (USER.md, IDENTITY.md, etc.). Those file reads are local and logically related to a memory tool, but the exact files imported are not called out in SKILL.md.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does write and read its own memory file(s) but does not attempt to modify other skills or system-wide agent settings. Persistence level is appropriate.
What to consider before installing
Summary of risks and next steps: - What this does: stores and semantically searches local text by calling your local Ollama instance (http://localhost:11434) and saving embeddings + content to a JSON memory file. - Main concerns: - index.js invokes the external 'curl' command via a shell (child_process.spawn with shell:true). This is an undeclared binary dependency and can be unsafe if inputs are not escaped, possibly enabling command injection in some scenarios. Prefer using an HTTP library instead of shelling out. - Inconsistent storage paths: Python files use ~/.openclaw/workspace/memory/vector-memory.json while index.js writes to ./memory/vector-memory.json. Decide which path is authoritative or you may end up with scattered memory files. - SKILL.md does not list the specific workspace files import_memories.py reads (MEMORY.md, SOUL.md, USER.md, IDENTITY.md). Those files can contain sensitive information; the importer will read and send their contents to the local Ollama service. - Metadata omitted required binary ('curl'); the registry shows no required binaries despite the code depending on one. - Recommendations before installing: 1. Inspect the workspace files listed in import_memories.py and remove or redact sensitive data you do not want indexed. 2. If you plan to use the Node component, ensure 'curl' is available or modify index.js to use a proper HTTP client (fetch/axios) to avoid shell usage. 3. Decide which memory file path you want and update the files to be consistent (or run only the Python or Node implementation, not both). 4. Run the skill in an isolated environment/container if you are unsure about privacy implications. 5. If you need more assurance, ask the author for a brief justification for using shell curl and for correcting the path/metadata inconsistencies. Given these implementation issues (undeclared dependency, shell usage, and path mismatch) the skill is suspicious rather than clearly benign. If you understand and accept the risks and can apply the recommended mitigations, the functionality itself appears local and not overtly malicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk972qdb8hpw7yk247kk2137xbd82e889memoryvk972qdb8hpw7yk247kk2137xbd82e889ollamavk972qdb8hpw7yk247kk2137xbd82e889vectorvk972qdb8hpw7yk247kk2137xbd82e889

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments