Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
记忆索引管理器
v2.1.0记忆索引系统。用于管理长期项目记忆、自动维护索引、快速定位历史项目。仅在用户明确说"回忆一下""remember""recall"时触发读取,写入与OpenClaw原生机制保持一致,索引维护在后台自动进行。
⭐ 0· 116·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (memory index manager) aligns with the SKILL.md operations (read INDEX.md, update memory files, consolidate). However, the instructions expect creating and managing persistent artifacts in the user's home (e.g., ~/.openclaw/scripts/daily-flush.sh and ~/Library/LaunchAgents/com.openclaw.daily-flush.plist) and running scheduled tasks. The registry metadata lists no required config paths or install actions — that mismatch is unexpected for a skill that describes installing a daily flush mechanism.
Instruction Scope
SKILL.md tells the agent to read and write files under memory/, append markers to daily files, create consolidation files under consolidated/, and create/maintain a daily-flush script and a launchd entry. These are file-IO and scheduling actions in the user's home; the instructions also reference autonomous background triggers (heartbeat/end-of-conversation). The scope is specific to OpenClaw memory files (coherent) but also includes persistent scheduling and file creation without clarifying consent or install steps.
Install Mechanism
No install spec is present (lowest-risk on its face). But SKILL.md implies that persistent scripts and a LaunchAgents plist will be created/used. Without an install spec, it's unclear how those artifacts are provisioned (agent writes them at runtime, or user/packager must install them). This absence is an inconsistency that should be clarified.
Credentials
The skill requests no environment variables, credentials, or config paths in metadata. The SKILL.md only works with local OpenClaw memory files and its own index/consolidation files — no secret or unrelated service access is requested.
Persistence & Privilege
always is false (good). However, the skill describes background/periodic behavior (daily cron/launchd, heartbeat-triggered maintenance). Because there's no declared install/setup flow, it's unclear whether the skill will (or could) create persistent scheduled jobs or scripts autonomously. Combined with the platform's normal autonomous-invocation ability, that could result in background writes or scheduled runs without clear installation consent.
What to consider before installing
This skill appears to do what it says (manage and index OpenClaw memory files), but there are important inconsistencies you should resolve before installing: 1) Ask the author how the daily-flush script and launchd/cron job are installed — will the skill create files in your home directory automatically or do you need to approve them? 2) Confirm what exact file paths will be written/modified (memory/, consolidated/, ~/.openclaw/scripts/, ~/Library/LaunchAgents/) and ask for an explicit install procedure or manifest. 3) There's a metadata/version mismatch in the included _meta.json; request a corrected package metadata. 4) If you do not want background scheduled tasks or unattended writes, do not enable automatic proposals/autoPropose and require manual approval for consolidations. 5) Because the skill can modify files in your home, prefer to review the exact script and plist contents before allowing them to be written or launched. If the author cannot clearly explain and provide an explicit install/permission flow, treat the skill as risky and avoid installing it.Like a lobster shell, security has layers — review code before you run it.
indexvk9752gsmzgvydjr9v12zd0ykks83eatblatestvk9740tk3fzkg4v91yxfzg48c1983kt87memoryvk9752gsmzgvydjr9v12zd0ykks83eatbprojectvk9752gsmzgvydjr9v12zd0ykks83eatb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.