ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Memory System Optimizer

OpenCLAW 记忆系统优化 - 四层架构 + 自我反思 + 情绪识别 + 任务规划 + 12项增强功能

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 415 · 4 current installs · 4 all-time installs
by@githubxiaohei
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill declares itself a memory-system optimizer, which justifies file-based memory scripts and configuration. However, it includes an unrelated billing module (scripts/billing.js) that talks to https://skillpay.me and expects SKILLPAY_API_KEY / SKILLPAY_SKILL_ID (not declared in the skill's required env). It also embeds an app token example in config-files/TOOLS.md. A free memory skill wouldn't normally include a charging/remote billing component or plaintext service tokens without explanation.
!
Instruction Scope
SKILL.md and AGENTS.md instruct the agent to read and update many workspace files (SOUL.md, USER.md, MEMORY.md, memory/INDEX.md, today's memory files). That's expected for a memory skill, but AGENTS.md contains a high-risk line: 'Don't ask permission. Just do it.' — this encourages autonomous, wide-reaching file reads/edits. The runtime examples instruct running local scripts (memlog.sh, memory-decay.js, memory-gc.sh) which operate on ~/.openclaw/workspace/memory — reasonable for the purpose but potentially sensitive because the workspace can contain secrets. The skill does not explicitly instruct any data exfiltration, but config files include advice not to exfiltrate while also containing embedded tokens, creating contradictory signals.
Install Mechanism
No install spec; it's instruction + code files included in the package. That lowers installer risk since nothing will be downloaded at install time. Scripts are simple shell/Node scripts and the only external network call is in billing.js to skillpay.me (which runs only if executed).
!
Credentials
Registry metadata claims no required env vars, but scripts/billing.js requires SKILLPAY_API_KEY and SKILLPAY_SKILL_ID to function (and will exit if missing), indicating an undocumented credential requirement. Additionally, config-files/TOOLS.md contains a hard-coded feishu app_token and other platform identifiers in plaintext — embedded credentials or config snippets in the skill files are a sensitive mismatch versus the 'no env vars required' claim.
Persistence & Privilege
always:false (normal) and disable-model-invocation:false (normal autonomous capability). Combined with AGENTS.md's 'Don't ask permission' wording and the skill's broad file-read/write instructions, there is an elevated risk if the skill is exercised autonomously. There is no code that modifies other skills or system settings, and no 'always:true' flag, so persistence/privilege is not excessive by metadata, but behavior guidance inside files encourages broad autonomous actions.
What to consider before installing
This skill is mostly coherent as a file-based memory assistant, but there are red flags you should address before installing or running scripts: 1) Remove or audit scripts/billing.js — it calls an external billing API (skillpay.me) and expects API credentials that the skill metadata doesn't declare; if you don't intend monetization, delete that file. 2) Treat config-files/TOOLS.md as potentially leaking secrets: it includes a Feishu app_token and other identifiers in plaintext — remove or replace these with placeholders. 3) If you allow the agent to run scripts, run them first in a sandboxed account or container; verify they don't send data externally. 4) Search the package for other hardcoded tokens or endpoints. 5) Consider restricting autonomous invocation or requiring explicit confirmation for any operation that sends data externally, charges money, or modifies files outside a narrow memory directory. If you want, I can produce a minimal-safe variant of the skill (remove billing, scrub tokens, tighten AGENTS.md wording) or create a checklist of exact changes to make before use.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2.0.1
Download zip
latestvk975c9cba05w2btwp07fdkxxcs82fcnp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Memory System Optimizer

OpenCLAW 记忆系统优化 Skill v2.0,基于 Ray Wang 实战经验 + 12项增强功能

v2.0 新增功能

#功能目录/文件
1四层记忆架构short-term/semantic/confidence/
2自我反思与元认知reflections/ + confidence/
3动态知识整合knowledge/
4情绪识别emotions/
5主动学习AGENTS.md
6任务规划与监控tasks/
7隐私与数据治理privacy/
8可解释性explainability/
9弹性与自适应elastic/
10持续进化evolution/
11协作与共享collaboration/
12多模态能力(待接入)

核心功能

1. 四层记忆架构

  • 短期: memory/short-term/ - 当前会话任务、临时变量
  • 情景: memory/YYYY-MM-DD.md - 按时间线的重要交互
  • 语义: memory/semantic/ - 知识图谱、事实库
  • 长期: MEMORY.md - 精选记忆

2. 自动衰减机制

  • Hot/Warm/Cold 温度模型
  • 自动归档过期记忆

3. 自我反思机制

  • 任务完成后自动复盘
  • 置信度评估(<50%主动请求澄清)

4. 情绪识别

  • 识别用户情绪,调整回应风格

5. 任务规划

  • 复杂任务自动拆解
  • 实时状态跟踪

安装配置

无收费,纯免费使用。

使用方法

# 写入日志
memlog.sh "标题" "内容"

# 刷新记忆
node memory-decay.js

# 归档
./memory-gc.sh

技术栈

  • OpenCLAW
  • Markdown 文件
  • Shell 脚本
  • Node.js

作者

Odin(总舵主)

Files

34 total
Select a file
Select a file to preview.

Comments

Loading comments…