ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Llm Memory Publish

v8.0.2

LLM Memory Integration - 接口层 + 自动化钩子。安装后自动从 CNB 仓库拉取私有增强包。

0· 13·0 current·0 all-time
by@xkzs2007·duplicate of @xkzs2007/llm-memory-v8-fix
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binaries (python3, git, sqlite3), required config paths and declared network endpoint all match the stated design: a public interface that auto-fetches a private 'privileged' package providing vector/GPU/native functionality. However documentation pockets claim the '公开包' has 'no code execution' while the package includes lifecycle hooks that run subprocesses (git clone) — this contradiction should be resolved by the author.
!
Instruction Scope
SKILL.md and the hooks explicitly instruct the agent to run subprocess git clone against https://cnb.cool/llm-memory-integrat/llm.git and write into ~/.openclaw/workspace/skills/.../src/privileged. Hooks auto-run postinstall (by default) and on startup checks the repo. The behavior is scoped to installing/maintaining the private package, but cloning and placing external code inside the agent's workspace expands runtime scope — the hooks will create files from an external source that could later be imported/executed. The instructions are explicit and offer a '--no-hooks' option, which mitigates but does not eliminate risk.
!
Install Mechanism
No packaged install was provided; instead lifecycle hooks perform a git clone from a single external host (cnb.cool). The host is not a widely-known release host (e.g., GitHub/GitLab releases) and is fetched via subprocess at install time. While the clone itself is not an archive-extract, it results in arbitrary code being written to disk. The private repo may include native extensions or arbitrary scripts (the docs say it can), increasing risk.
Credentials
The skill requests no secrets or cloud credentials and only asks for read/write access to its own memory directory and write access to its own privileged directory as well as network access to the declared host — these are proportionate to the stated goal of fetching a private implementation. No unrelated environment variables or credentials are requested.
Persistence & Privilege
always:false (good). The skill installs lifecycle hooks that run automatically on postinstall and execute on gateway startup (onStartup). Hooks do not modify other skills or system config, but they do write into the skill workspace and can persist the cloned private code across runs. Automatic hooks increase blast radius if the remote repo is malicious or compromised.
Scan Findings in Context
[SUBPROCESS_RUN] expected: postinstall.py and onStartup.py call subprocess.run to execute git commands. This is expected for a hook that clones a repo, but it is a runtime code-execution surface to review.
[NETWORK_CLONE_CNB] expected: The skill requires network access to https://cnb.cool/llm-memory-integrat/llm and performs a git clone from that host. Network access is necessary to fetch the private package, but the host is not an established, widely-known release host, increasing trust risk.
What to consider before installing
This skill will automatically clone code from an external domain (cnb.cool) into ~/.openclaw/workspace/skills/llm-memory-integration/src/privileged when installed (postinstall hook) and will check that clone on gateway startup. If you consider installing: - Only install if you trust the cnb.cool host and the package owner. The clone places third-party code inside your agent workspace and that code may include native extensions or arbitrary scripts. - If you are unsure, install with hooks disabled (clawhub install llm-memory-integration --no-hooks) and manually inspect the remote repository before placing it in src/privileged. - Prefer to run the skill in an isolated environment (container/VM) so any native extensions or system-level optimizations cannot affect your host. - Review the contents of the cloned repository before importing or executing it. Look specifically for native extension builds, scripts run at import time, or code that accesses system-level interfaces or credentials. - If you need higher assurance, ask the author for a signed release (or a release hosted on a well-known vendor site) or request that the private functionality be delivered via an audited package/OCI image rather than a direct git clone from an unknown host. I rate this suspicious rather than malicious because the behavior is coherent with the stated purpose, but automatic fetching from an unvetted external host and contradictory claims about 'no code execution' are red flags that deserve manual review before installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk979k7h3g2hh119mz9f0v5080n84zmta

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
Binspython3, sqlite3, git
Configfilesystem.read.~/.openclaw/memory-tdai, filesystem.write.~/.openclaw/memory-tdai, filesystem.write.~/.openclaw/workspace/skills/llm-memory-integration/src/privileged, network.https://cnb.cool

Comments