ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Memory Kit

v0.2.1

Scaffold, sanitize, or share an OpenClaw multi-agent memory system with a reusable workspace, memory-lancedb-pro configuration, role prompts, task-board conv...

0· 117·0 current·0 all-time
bysune@sora-mury

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for sora-mury/openclaw-memory-kit.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "OpenClaw Memory Kit" (sora-mury/openclaw-memory-kit) from ClawHub.
Skill page: https://clawhub.ai/sora-mury/openclaw-memory-kit
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install openclaw-memory-kit

ClawHub CLI

Package manager switcher

npx clawhub@latest install openclaw-memory-kit
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (scaffold/sanitize/share an OpenClaw memory workspace) matches the included documentation and role prompts. However, it promises a generator script (scripts/bootstrap-openclaw-memory.ps1) and runtime behavior (write state-local npm packages) while the package contains only docs and no bootstrap script or installer code — an inconsistency between claimed capability and delivered artifacts.
!
Instruction Scope
SKILL.md tells the agent (or user) to run a PowerShell bootstrap script, create and overwrite files under a target root, and optionally install npm plugins. Those actions modify local filesystem state and fetch packages over the network. The core problem: the instructions reference a script file that is not present in the skill bundle, leaving ambiguity about where the executable logic lives and increasing the risk the user will execute an unvetted script obtained elsewhere.
Install Mechanism
There is no install spec (instruction-only), which is low-risk in principle. But the instructions expect npm package installs and a bootstrap script to run; because neither the script nor an install mechanism is included, the skill depends on the environment or external downloads the skill does not provide or document explicitly.
Credentials
The skill does not request environment variables, credentials, or config paths. The documentation explicitly warns not to copy secrets and to use placeholders, which aligns with the stated sanitization goal.
Persistence & Privilege
The skill is not force-included (always: false) and does not request elevated or persistent privileges. allow_implicit_invocation is enabled in agents/openai.yaml (normal for skills) but this is not by itself a red flag.
What to consider before installing
This package is documentation-heavy and claims to scaffold a sanitized OpenClaw memory workspace, but it does not include the referenced bootstrap PowerShell script or any installer. Before running anything that writes files or installs npm packages: 1) ask the publisher for the bootstrap script source or view its full contents so you can inspect it; 2) do not paste or copy your live .env or secrets — follow the sanitization checklist; 3) run any generator or npm installs in an isolated directory or container and back up your existing OpenClaw state; 4) verify npm package names and versions against the official registry (and prefer pinned versions you trust); and 5) if you want to let the agent run commands, require explicit confirmation for each filesystem or network action. If the maintainer cannot provide the actual bootstrap script or an explicit install manifest, treat this skill as incomplete and avoid running ad-hoc scripts fetched from unverified sources.

Like a lobster shell, security has layers — review code before you run it.

latestvk9745b6scahpmwne1wnrbs77as83h9kz
117downloads
0stars
2versions
Updated 1mo ago
v0.2.1
MIT-0
sune@sora-mury
latest
Download

OpenClaw Memory Kit

Quick Start

  • Use scripts/bootstrap-openclaw-memory.ps1 to generate the sharable workspace, config, env template, and launcher scripts.
  • Read references/architecture.md when you need the conceptual model behind the memory system.
  • Read references/generated-files.md when you need to explain or customize the generated output.
  • Read references/sanitization.md when the user wants to verify which private details must never be copied.

Workflow

  1. Default to an isolated target root such as ~/.openclaw-memory-kit unless the user asks to merge into an existing OpenClaw state directory.
  2. Keep the base kit memory-focused. Treat Feishu, Telegram, WeChat, and Memos as optional follow-up integrations instead of required setup.
  3. For the current tested OpenClaw build, install memory-lancedb-pro together with a matching local openclaw package inside the generated state directory. This keeps openclaw/plugin-sdk resolvable for the memory plugin on newer releases.
  4. Never copy the source user's raw .env, live app IDs, channel bindings, private LAN addresses, personal scope names, or filesystem usernames. Use placeholders only.
  5. Run the bootstrap script. Use -Force only when the user explicitly wants to overwrite an existing kit.
  6. If the user wants a human-facing handoff, point them to the package-level OPENCLAW-MEMORY-KIT.md.

Script

Run the generator from PowerShell:

& "$PSScriptRoot\scripts\bootstrap-openclaw-memory.ps1" `
  -TargetRoot "$HOME\.openclaw-memory-kit" `
  -PrimaryModel "minimax/M2.5" `
  -GatewayPort 18789

Add -Force to overwrite generated files. Add -SkipCorePluginInstall if the user only wants files and will install plugins later.

Output Expectations

The bootstrap script should generate:

  • openclaw.json
  • .env.example and a placeholder .env if one does not already exist
  • package.json and package-lock.json when core memory dependencies are installed
  • start-gateway.ps1 and start-gateway.cmd
  • workspace/agents/<role>/ prompt files
  • workspace/shared/ collaboration, memory, and task system documents
  • plugins.load.paths, plugins.slots.memory, and plugins.entries.memory-lancedb-pro.config in openclaw.json
  • memory mirror and task board directories

Customization Points

  • Change the role lineup in the New-RoleCatalog function.
  • Change provider/model defaults in the New-OpenClawConfig function.
  • Keep optional channel plugins outside the base scaffold unless the user explicitly asks to prewire them.
  • For current OpenClaw builds, treat Feishu as bundled-or-optional depending on the target install. Only add a manual Feishu plugin command when the target build is missing Feishu.
  • The current tested memory install path is state-local npm dependencies, not openclaw plugins install memory-lancedb-pro, because the plugin still expects local openclaw/plugin-sdk resolution.

Comments

Loading comments...