ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SeekDB Memory

v0.2.1

Cloud-native persistent memory for OpenClaw agents. Auto-captures facts after conversations, auto-recalls relevant context before each reply. Hybrid search (...

0· 0·0 current·0 all-time
byRongfeng Fu@frf12
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md clearly describes a cloud-backed memory service that requires an API key and a baseUrl (api endpoint). However, the registry metadata declares no required environment variables, no primary credential, and no install artifacts. That omission is an inconsistency: the skill requires credentials/config to function but does not declare them in metadata.
!
Instruction Scope
Runtime instructions tell the agent (via the m0 plugin) to auto-capture conversation facts after each conversation and auto-recall relevant memories before replies, transmitting conversation-derived data to a user-specified baseUrl. The SKILL.md does not describe data handling, retention, or privacy controls. It also instructs editing ~/.openclaw/openclaw.json to store an apiKey and endpoint — i.e., persistent local credentials plus automatic external transmission of conversation content.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing new is written to disk by the skill itself. That lowers installation risk; the actual network behavior will depend on the separate m0 plugin, which is not included here.
!
Credentials
Although the SKILL.md requires an apiKey and baseUrl for the m0 plugin, the registry lists no required env vars or primary credential. The skill directs storing credentials in a config file instead of declaring them, which hides necessary secrets from the metadata. Requesting a cloud API key to store and transmit conversation data is proportionate to the described feature, but the omission in metadata and lack of guidance about scoping/revocation/privacy is problematic.
Persistence & Privilege
The skill and the m0 plugin are designed to run automatically (auto-recall and auto-capture). The skill itself is not 'always: true' and does not claim to alter other skills, which is normal. However, automatic capture/injection of conversation content increases privacy risk; combined with the missing credential declaration and absent vendor/source information, this raises a notable risk profile.
What to consider before installing
Before installing or enabling this memory skill: 1) Confirm the identity and trustworthiness of the m0 plugin provider and the baseUrl (who owns the endpoint and where is data stored?). 2) Don’t put highly sensitive data into conversations until you understand retention, access controls, and deletion procedures. 3) Use a scoped, revocable API key and prefer self-hosting the baseUrl if possible. 4) Consider disabling autoCapture/autoRecall in the config while you test with non-sensitive data, and prefer explicit memory_store calls for anything important. 5) Ask the publisher for a privacy policy, data retention/processing details, and whether conversation content is encrypted in transit and at rest. 6) Because the registry metadata omits required credentials, request corrected metadata or documentation before trusting the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk979rzvza857hmyfqdhrazyh8h84bh4f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis

Comments