ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CXM: Neural Memory for Agents

Use this skill when you need to understand the architecture of a codebase, perform semantic searches across files, map dependencies before refactoring, or in...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 91 · 0 current installs · 0 all-time installs
by@joeavaib
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the main code: semantic search, dependency mapping, and ingestion. The repository includes a full CLI and RAG engine implementing those capabilities (src/core/rag.py, src/cli.py, tools). However the docs and code also describe integrating system state and third-party CLI session files (Gemini/Claude), cloning remote repos, and auto-updating a background watcher — behaviors that are broader than a simple 'codebase understanding' tool and should be expected but explicitly reviewed.
!
Instruction Scope
SKILL.md and other docs instruct the agent to run the bundled CLI (python src/cli.py --agent-mode) which will: recursively read the project to build an index (~/.cxm), download models from HuggingFace on first run, optionally run a background watcher that updates the index on file saves, patch files respecting .cxm.yaml rules, and gather context from other tool locations (docs mention reading ~/.gemini/tmp/partner/chats/ and ~/.claude/projects/). The skill therefore reads files and session histories outside the immediate project scope and can modify files — these are significant scope expansions that the user should expect and control.
!
Install Mechanism
There is no automatic install spec in the registry entry (instruction-only), which reduces platform-level install risk. However the package metadata and requirements.txt recommend installing heavy dependencies and include -e git+ssh/git+https editable installs pointing to personal GitHub repositories (e.g., Joeavaib/partner and other -e entries). If a user follows docs to pip install, that will pull code from external repos and many third-party packages (faiss, sentence-transformers, huggingface_hub, Google/Anthropic clients etc.). Those remote/editable installs and the large dependency set increase supply-chain risk and deserve manual review.
Credentials
The skill declares no required environment variables or credentials. That aligns with local-only operation. Nevertheless, behavior in code/docs will access local Git and may clone remote GitHub repos (using the user's git config/SSH keys) and will download models from HuggingFace (network activity). The tool also scans files for secrets (masking), but it can read unrelated session files (Gemini/Claude) and system/git status — this is broader access than just source files and could expose sensitive local data if used without care.
Persistence & Privilege
always:false (good). The tool creates persistent data under ~/.cxm (index, metadata, caches) and supports a background watcher/daemon to keep indices fresh; it can also apply patches to workspace files (subject to .cxm.yaml allowed_write_paths and modes like 'ask_first'). Autonomous agent invocation is permitted by default; combined with the above (reading other CLIs and file-patching), that increases the blast radius, so consider restricting runtime permissions or requiring human confirmation for write actions.
What to consider before installing
What to consider before installing/using this skill: - Review the code that reads system and third-party CLI state: docs/cli-reference and code reference reading Gemini/Claude session directories (e.g., ~/.gemini/tmp/partner/chats/, ~/.claude/projects/). If you use those CLIs, expect CXM to ingest their session data unless configured otherwise. - Audit file-patching code and .cxm.yaml before allowing write actions. The tool can modify files and claims to respect allowed_write_paths/modes, but verify patcher.py and any guard logic yourself and keep backups/strict git workflow in place. - Do not run pip install -r requirements.txt or the editable (-e) installs without inspection: requirements.txt contains -e git+ssh/git+https entries to personal repos and a very large dependency set (heavy ML and network libraries). Prefer running the CLI in an isolated environment (container or VM) and pin exact dependency sources if you must install. - Expect network activity: first-run model downloads from HuggingFace and optional GitHub cloning. If you need fully offline operation, verify local-model paths or block network access and confirm behavior. - If you plan to let agents call this skill autonomously, consider restricting agent privileges (prevent file writes or disallow background watcher) or require explicit human approval for any patch operations; autonomous invocation combined with cross-CLI reads raises privacy risk. If you want to proceed safely: run the tool inside an isolated container or throwaway VM, inspect/grep context_gatherer, patcher, and skill_exporter, and test read/write behaviors on a benign project first. If anything is unclear, ask the maintainer for explicit documentation on allowed_write_paths, what session locations are read, and which remote endpoints the install or runtime will contact.
src/core/audit.py:25
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.3
Download zip
agent-skillvk978vs866d7wwct5xy2b3gcsph835q3jai-partnervk978vs866d7wwct5xy2b3gcsph835q3jarchitectural-mappingvk978vs866d7wwct5xy2b3gcsph835q3jast-analysisvk978vs866d7wwct5xy2b3gcsph835q3jautonomous-codingvk978vs866d7wwct5xy2b3gcsph835q3jbertvk97bxhxd5bagb81dat0r4a8prn835jnmcode-searchvk978vs866d7wwct5xy2b3gcsph835q3jcontextvk97bxhxd5bagb81dat0r4a8prn835jnmcontext-memoryvk978vs866d7wwct5xy2b3gcsph835q3jcontext-optimizervk978vs866d7wwct5xy2b3gcsph835q3jdependency-graphvk978vs866d7wwct5xy2b3gcsph835q3jguardrailsvk978vs866d7wwct5xy2b3gcsph835q3jlatestvk972hxd82e2wdr8d8cwknrgmpn835q5fllm-memoryvk978vs866d7wwct5xy2b3gcsph835q3jmetadata-maskingvk978vs866d7wwct5xy2b3gcsph835q3jneural-memoryvk978vs866d7wwct5xy2b3gcsph835q3jorchestrationvk97bxhxd5bagb81dat0r4a8prn835jnmprompt-engineeringvk97bxhxd5bagb81dat0r4a8prn835jnmprompt-optimizationvk97bxhxd5bagb81dat0r4a8prn835jnmragvk978vs866d7wwct5xy2b3gcsph835q3jrefactoring-assistantvk978vs866d7wwct5xy2b3gcsph835q3jsecret-scannervk978vs866d7wwct5xy2b3gcsph835q3jsecure-codingvk978vs866d7wwct5xy2b3gcsph835q3jsemantic-searchvk978vs866d7wwct5xy2b3gcsph835q3jsource-code-analyzervk978vs866d7wwct5xy2b3gcsph835q3j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

CXM Neural Memory Skill

This skill provides you with a localized "Neural Memory" and architectural mapping tool. It allows you to find code semantically and map dependencies using bundled AST-parsing tools.

🔒 Security & Transparency (Disclosure)

To ensure safe and transparent operation, be aware of the following behaviors:

  • Local Indexing: This skill performs recursive file reads within the project to build a local vector index (FAISS) stored in ~/.cxm.
  • Resource Footprint: Initial indexing is CPU-intensive. Runtime RAM usage ranges from ~300MB (Mini-BERT) to ~1GB (MPNet).
  • Network Access: On the very first execution, this skill will download a pre-trained model (~80MB to ~400MB) from the HuggingFace Hub. No project data is ever uploaded.
  • File Modification: The tool can patch files. It strictly respects the allowed_write_paths and mode (e.g., ask_first) defined in the project's .cxm.yaml.

🛠️ Local Engine Usage

You are already bundled with the CXM source code. All commands must be executed via the local src/cli.py script.

Crucial Instruction: Always use the --agent-mode flag to receive strict, parseable JSON.

Core Capabilities & Usage

1. Semantic Search (Vibe Searching)

Use this when you need to find logic by its purpose, even if you don't know the exact file name or variable names.

Command:

python src/cli.py --agent-mode harvest --semantic "your natural language query"

Interpretation: The JSON output contains a results array with path, content, and start_line/end_line for precise targeting.

2. Dependency Graphing (Architectural Mapping)

Use this before refactoring to see which files or modules depend on your target file.

Command:

python src/cli.py --agent-mode map path/to/file.py

Interpretation: The JSON output includes an edges list and a hotspots array showing the most heavily used modules in the project.

3. Architecture Ingestion

Force CXM to index non-code files like README.md, docker-compose.yml, or package.json to understand the system's infrastructure.

Command:

python src/cli.py --agent-mode ingest .

Workflow for Complex Refactoring

  1. Locate: Use semantic search to find the relevant code sections.
  2. Map: Run map on the identified files to see the blast radius.
  3. Execute: Apply your changes knowing the full architectural context.

Files

48 total
Select a file
Select a file to preview.

Comments

Loading comments…