ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Synapse Layer

v1.0.0

Provides persistent, encrypted AI agent memory with a 4-layer security pipeline for storing, retrieving, sharing, and analyzing agent memories.

0· 51·0 current·0 all-time
byRafa Martins@rafacpti23

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for rafacpti23/synapse-layer.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Synapse Layer" (rafacpti23/synapse-layer) from ClawHub.
Skill page: https://clawhub.ai/rafacpti23/synapse-layer
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install synapse-layer

ClawHub CLI

Package manager switcher

npx clawhub@latest install synapse-layer
Security Scan
Capability signals
CryptoCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's stated purpose (persistent encrypted memory, cross-agent search, Trust Quotient) aligns with the provided client and MCP endpoints (forge.synapselayer.org). However the registry metadata declares no required credentials while the code and docs clearly expect an API key; this mismatch is unexplained.
!
Instruction Scope
SKILL.md and scripts instruct the agent to send arbitrary memory content to https://forge.synapselayer.org/mcp and to place an API key in gateway config. The test script requires SYNAPSE_API_KEY and even prints a prefix of it to stdout — exposing sensitive credentials to logs. The documentation also asserts 'zero-knowledge' and client-side encryption, but the included SynapseClient code sends plaintext content in POST bodies with no local encryption, PBKDF2, or AES operations; that is a direct contradiction.
Install Mechanism
There is no install spec in the registry (instruction-only), but SKILL.md suggests 'pip install synapse-layer' while the package is not provided in the skill bundle. The included Python scripts are plain and import httpx; nothing is downloaded from untrusted URLs. Lack of an install spec is low risk, but the mismatch between advising a pip package and shipping local scripts is inconsistent and should be clarified.
!
Credentials
Registry metadata lists no required environment variables or primary credential, yet scripts and docs require an API key (examples use 'sk_connect_...' and synapse_test.py reads SYNAPSE_API_KEY). The skill would thus need a secret but fails to declare it. Additionally, the skill recommends adding Authorization headers to gateway config (storing an API key in system config) and the test script prints part of the API key to stdout — both are sensitive practices that increase credential exposure.
Persistence & Privilege
The skill does not request elevated platform privileges. always is false and it does not modify other skills' configs. There is no indication it persists beyond its own files or self-configures the agent platform.
What to consider before installing
Key issues to consider before installing: - Credentials mismatch: the package requires an API key (examples and test script), but the registry declares none. Do not provide an API key until the skill's expected secret name and storage method are confirmed. - False security claims: the docs promise client-side encryption and AES/PBKDF2 processing, but the included SynapseClient sends plaintext JSON to the remote endpoint with only an Authorization header. Ask the publisher to show where client-side encryption is performed (code, libs, or steps). If client-side encryption is not performed, the 'zero-knowledge' claim is inaccurate and you should not send sensitive PII or secrets to this service. - Secret handling: the test script prints part of the API key to stdout and the docs recommend putting the API key in gateway config. That can leak keys into logs/backups. If you must test, use a non-production key, rotate it after testing, and avoid running tests on production systems. - Audit network endpoint: the client talks to https://forge.synapselayer.org/mcp. Verify ownership/trustworthiness of that host before sending production data. Prefer deploying the code in an isolated environment first and monitor outgoing requests. - Clarify the pip package: SKILL.md suggests 'pip install synapse-layer' but the skill bundle provides scripts only. Confirm whether there is an official package and whether the shipped code matches it. Recommended next steps: ask the publisher for (1) proof/source of client-side encryption (or a build that performs it), (2) the exact environment variable/credential names the skill requires, (3) retention/processing policy for data sent to forge.synapselayer.org, and (4) updated code that avoids printing secrets. Until these are provided, treat the skill as untrusted for sensitive data and prefer local or audited alternatives.

Like a lobster shell, security has layers — review code before you run it.

aivk974rnd4xfh51cmyrc7e3qyw81851sv9encryptionvk974rnd4xfh51cmyrc7e3qyw81851sv9latestvk974rnd4xfh51cmyrc7e3qyw81851sv9memoryvk974rnd4xfh51cmyrc7e3qyw81851sv9persistentvk974rnd4xfh51cmyrc7e3qyw81851sv9pythonvk974rnd4xfh51cmyrc7e3qyw81851sv9securityvk974rnd4xfh51cmyrc7e3qyw81851sv9
51downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
Rafa Martins@rafacpti23
aiencryptionlatestmemorypersistentpythonsecurity
Download

Synapse Layer Skill

Synapse Layer provides persistent, encrypted memory for AI agents with a 4-layer security pipeline.

Quick Setup

Python SDK (Recommended for OpenClaw)

Install and use:

pip install synapse-layer

from synapse_test import SynapseClient

client = SynapseClient(api_key="sk_connect_...")

# Save memory
result = client.remember("User prefers dark mode", agent="mel")

# Retrieve memories
memories = client.recall("user preferences", agent="mel")

See scripts/synapse_client.py for a complete client implementation.

MCP Integration (External Tools)

Add to OpenClaw gateway config for external MCP clients:

{
  "mcp": {
    "servers": {
      "synapse-layer": {
        "url": "https://forge.synapselayer.org/mcp",
        "headers": {
          "Authorization": "Bearer sk_connect_YOUR_API_KEY"
        }
      }
    }
  }
}

Note: This is for external MCP clients (Claude Desktop, Cursor) to connect to SynapseLayer, not for OpenClaw agents to use directly.

Available Tools

Once configured via Python SDK, these operations are available:

  • save_to_synapse - Store memory with full security pipeline
  • recall - Retrieve memories ranked by Trust Quotient™
  • search - Cross-agent memory search with full-text matching
  • process_text - Auto-detect decisions, milestones, and alerts
  • health_check - System health, version, and capability report

Cognitive Security Pipeline

Every memory passes through 4 non-bypassable layers:

  1. Semantic Privacy Guard™ - 15+ regex patterns detect PII, secrets, credentials
  2. Intelligent Intent Validation™ - Two-step categorization with self-healing
  3. AES-256-GCM Encryption - Authenticated encryption with PBKDF2 key derivation
  4. Differential Privacy - Calibrated Gaussian noise on embeddings

Key Concepts

Trust Quotient™ (TQ)

Score (0-1) ranking memory reliability. Higher TQ = more trusted memory.

Cross-Agent Memory

Memories can be shared across agents using the same agent_id or cross-agent search.

Storage Backends

  • Remote (Forge) - PostgreSQL via forge.synapselayer.org (recommended)
  • SQLite - Local .synapse/memories.db (requires local setup)

Usage Patterns

Basic Memory Operations

Use the Python SDK client:

from scripts.synapse_client import SynapseClient

client = SynapseClient(api_key="sk_connect_...")

# Save
client.remember("Important decision", agent="mel", importance=5)

# Recall
memories = client.recall("recent decisions", agent="mel", limit=5)

# Search
all_memories = client.search("project deadlines", limit=10)

Process Text Automatically

Extract events from free-form text:

events = client.process_text(
    "Decided to use PostgreSQL. Deadline is May 1st.",
    agent="hermes",
    project="website-redesign"
)

Security Considerations

Data Privacy

  • PII automatically redacted before storage
  • All data encrypted at rest (AES-256-GCM)
  • Differential privacy protects individual entries
  • Zero-knowledge architecture

Resilience Strategy

Recommended approach for production:

  1. Use SynapseLayer as primary memory store
  2. Keep OpenClaw's MEMORY.md/memory/ as backup
  3. Monitor service health via health_check
  4. Have fallback procedure if service unavailable

Troubleshooting

Connection Issues

  1. Run health_check to verify connectivity
  2. Verify API key is valid
  3. Check network access to forge.synapselayer.org

Memory Not Persisting

  1. Check API key permissions
  2. Verify security pipeline didn't reject content
  3. Review Trust Quotient in response

Low Trust Quotient

  1. Review security pipeline logs
  2. Increase confidence/importance scores
  3. Check if content was sanitized

Testing

Use the test script:

python3 /app/skills/synapse-layer/scripts/synapse_test.py

This script verifies:

  • Service connectivity (health_check)
  • Basic save operations
  • Memory retrieval
  • Cross-agent search

Reference Documentation

For more details, see:

Comments

Loading comments...