ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Beta Agent Memory

v1.0.0

Long-term memory systems for AI agents. Implements vector memory, entity tracking, conversation summarization, and persistent context across sessions.

0· 50·1 current·1 all-time
by@1477009639zw-blip
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description and SKILL.md consistently describe a memory system using ChromaDB, Pinecone, spaCy, LangChain, and PostgreSQL. However, the registry metadata declares no required environment variables, no install steps, and no code—yet the described capabilities normally require API keys, database connections, and package installs. That discrepancy (features that need external services but no declared credentials or installs) is incoherent.
!
Instruction Scope
SKILL.md tells the agent to extract and persist episodic/semantic/procedural memories, run entity extraction, periodic summarization, and use vector search. It gives no concrete runtime commands but implicitly instructs the agent to collect and store user data across sessions. There is no guidance on what to store/omit, PII handling, retention, encryption, or where/how data is persisted—this is open-ended and could lead to inappropriate or unexpected data collection.
Install Mechanism
There is no install spec and no code files (instruction-only). That minimizes direct disk-write/install risk. However, the skill references Python libraries and external services that would normally require installation or service setup; the absence of an install mechanism contributes to the coherence concerns but is itself low-risk.
!
Credentials
The skill claims to use hosted services (Pinecone) and databases (PostgreSQL) which typically require API keys, tokens, or connection strings, yet requires.env is empty and no primary credential is declared. Requiring no credentials is disproportionate to the stated functionality and makes the specification incomplete or misleading.
Persistence & Privilege
always is false (good). The skill's purpose is persistent long-term memory; that inherently grants it privacy-sensitive persistence across sessions if implemented. The registry allows autonomous invocation (default), which combined with persistent memory behavior raises privacy concerns—especially given the lack of declared storage or governance—but autonomous invocation alone is not a disqualifying issue.
What to consider before installing
This skill describes a memory system that would normally need service credentials (Pinecone API key, DB connection, etc.), installation steps, and explicit data-governance rules—but none are provided and the source/homepage is unknown. Before installing or enabling this skill, ask the publisher: Where is memory stored (local file/Chroma/Pinecone/Postgres)? What exact environment variables and permissions are required? How is sensitive data (PII) filtered, encrypted, and deleted? Who operates the storage (third party vs you)? Prefer a version that: lists required env vars, provides an install script or code repo, documents retention/consent policies, and supports a local-only mode (Chroma/embeddings stored locally) if you need privacy. If you handle sensitive data, avoid enabling this skill until provenance, storage, and credential details are provided or until you can review the implementation.

Like a lobster shell, security has layers — review code before you run it.

latestvk974g1bdbt3h77yzd7ytfz3bz183t49n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
Binspython3

Comments