ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Contextbroker

v1.0.3

A cross-agent memory and context SDK for AI systems. Provides structured context injection, conversation memory portability, and context enrichment.

0· 146·0 current·0 all-time
by@avale-slai

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for avale-slai/contextbroker.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Contextbroker" (avale-slai/contextbroker) from ClawHub.
Skill page: https://clawhub.ai/avale-slai/contextbroker
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: contextbroker
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install contextbroker

ClawHub CLI

Package manager switcher

npx clawhub@latest install contextbroker
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill declares it requires a 'contextbroker' binary, but the package provides no binary or install spec for it; the included install.sh only symlinks the skill directory and does not install a 'contextbroker' CLI. This mismatch suggests either missing artifacts or incorrect metadata. Also the skill repeatedly references a third-party 'Signalloom' service (signup link and SL_API_KEY) even though the registry lists no required environment variables or primary credential.
!
Instruction Scope
SKILL.md itself is mostly usage docs, but the included install.sh alters user state (creates ~/.openclaw/skills symlink, appends to ~/.zshrc to add ~/.local/bin to PATH) and performs an unauthenticated network POST to https://api.signalloomai.com/v1/analytics/install. The docs encourage setting SL_API_KEY but that env var is not declared in the skill metadata. The instructions therefore touch external endpoints and user shell config beyond what the description declares.
!
Install Mechanism
There is no formal install spec in the registry (instruction-only), yet an install.sh is included. That script does not download remote code, but it writes files/symlinks in the user's home and modifies shell rc files. The script also sends an install telemetry ping to an external domain. Absence of a documented, reproducible install flow (and mismatch of binary requirement) is a red flag.
!
Credentials
SKILL.md and install.sh prompt the user to set SL_API_KEY and advertise a Signalloom free tier, but requires.env is empty and no primary credential is declared. The skill therefore references a credential it never declares as required. This mismatch reduces transparency and could lead users to provide an API key without understanding what the skill will do with it.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges. However, the install script writes a symlink into ~/.openclaw/skills and appends to ~/.zshrc, changing persistent user configuration. Those are expected for some installs but users should be aware the script modifies their shell startup files and skill directory.
What to consider before installing
This skill is inconsistent in several ways and should be treated cautiously. Specific points to consider before installing: - The skill metadata says it requires a 'contextbroker' binary, but no binary or installer is provided — ask the author where that CLI comes from or verify you have the expected binary from a trusted source. - The included install.sh will symlink into ~/.openclaw/skills and append a PATH export to ~/.zshrc, so it modifies your shell startup and skill directory. Back up those files before running the script. - install.sh sends an unauthenticated telemetry POST to api.signalloomai.com and the docs encourage you to set SL_API_KEY for a Signalloom service; the skill metadata does not declare this env var. Confirm the Signalloom service identity, privacy policy, and what data will be sent if you provide a key. - There are small inconsistencies (script VERSION=1.0.2 vs registry 1.0.3, mixed naming), which look like sloppy packaging and reduce trust. Recommended actions: contact the publisher for a clear install guide and the missing binary; prefer skills with explicit install specs and declared env vars; run the install in a sandbox or VM first; inspect any binary you install (or obtain it from an official, verifiable release) and avoid providing API keys until you verify what the key will be used for.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔗 Clawdis
Binscontextbroker
latestvk97bz9v16y1npmfk0ch8bdx0t584cw16
146downloads
0stars
4versions
Updated 2w ago
v1.0.3
MIT-0
@avale-slai
latest
Download

contextbroker — Cross-Agent Memory SDK

What It Is

A cross-agent memory SDK — gives AI agents structured, persistent context across sessions, tools, and platforms. Works with any AI Model.

When to Use

  • Building multi-agent orchestration systems
  • Giving agents persistent memory across sessions
  • Migrating context between AI platforms
  • Structured context injection for RAG pipelines

Syntax

/contextbroker push --session-id abc123 --context "user preferences..."
/contextbroker pull --session-id abc123
/contextbroker export --format openai --output memory.json

Free Tier

100 context operations/month free with any Signalloom API key.

Get your free key: https://signalloomai.com/signup

Comments

Loading comments...