Skillv2.0.1

ClawScan security

memory-indexer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 15, 2026, 5:46 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality roughly matches its description, but the package includes user session backups with apparent session keys and the installer auto-modifies OpenClaw configuration/hooks to make the skill run automatically — this is intrusive and worth manual review before install.
Guidance: Before installing: 1) Inspect install.sh and update.sh — they will copy hooks and modify AGENTS.md/MEMORY.md/HEARTBEAT.md to make the skill run automatically; if you don't want that, do not run install.sh and perform manual installation. 2) The repository includes backup files (index.json and many session .md) containing session metadata and 'Session Key' strings — treat these as sensitive; remove or review them before placing the skill in your workspace. 3) Review embedding.py if you plan to enable semantic search: it can use local models or external providers (which may require API keys and network access). 4) If you decide to proceed, install it in a sandbox or non-production environment first, and avoid running automated auto-config steps; prefer manual symlink and running commands selectively. 5) If you need help auditing specific scripts (install.sh, session_backup.py, embedding.py), consider sharing them for a targeted review.

Review Dimensions

Purpose & Capability: concernThe code and instructions match a memory-indexer (python, jieba, embedding support). However the repository contains multiple backup files (index.json, sync-state.json, many session .md files) that include session metadata and 'Session Key' strings — shipping real session backups inside the skill is unexpected and exposes sensitive data unrelated to packaging the tool itself. The install scripts also auto-configure AGENTS.md/MEMORY.md/HEARTBEAT.md to prioritize this skill, which is functionally coherent but intrusive.
Instruction Scope: concernSKILL.md and README instruct running install.sh which will install dependencies, create symlinks into ~/.openclaw, copy hooks to ~/.openclaw/hooks/, and modify OpenClaw config to make the skill run early/on heartbeat. Those steps go beyond local CLI tooling: they change system/agent configuration and enable automatic behaviors. The included backup files in the repo mean installing will place pre-populated data (potentially sensitive) on disk.
Install Mechanism: noteNo registry install spec was published, but SKILL.md metadata suggests pip-installing jieba and the repo provides install.sh/update.sh. The recommended install clones the GitHub repo and runs install.sh — a normal pattern. However the repo contains large backup files that will be written into the skills directory when installed, increasing privacy risk. No shorteners or unknown download hosts were observed.
Credentials: noteThe declared requirements are minimal (python3, jieba) and requires.env lists none. The README and code support optional embedding providers (HuggingFace, Ollama, MiniMax) and env vars (EMBEDDING_PROVIDER, HF_MODEL_NAME) but these are optional. The main concern is not requested credentials but the presence of stored session keys and conversation backups included in the repository, which are sensitive data that do not need to be bundled with a generic installer.
Persistence & Privilege: concernThe skill is not marked always:true, but install.sh and README explicitly modify OpenClaw configuration (AGENTS.md, MEMORY.md, HEARTBEAT.md) and install Hooks that cause automatic behavior (prioritizing this indexer, heartbeat tasks). That gives the skill persistent and autonomous effects across agent runs. This matches the stated goal (automatic search/backup) but is a higher-privilege/intrusive integration and should be opt-in and reviewed before enabling.