Xiang miles | Space2.world
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears offline and purpose-coherent, but it is designed to silently and repeatedly ingest chat logs into persistent agent memory with limited user review or scoping controls.
Install only if you intentionally want Space2-OS to retain and reuse local chat logs as persistent memory. Prefer manual runs first, use a dedicated log directory, back up hippocampus_logs.json, avoid heartbeat scheduling until reviewed, and verify exactly what will be appended before allowing automatic memory updates.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private, mistaken, or malicious chat-log content could become long-lived agent memory and influence future behavior.
The skill intentionally persists chat-log content into a memory store that later automation will trust and use to change agent behavior, with no review, sanitization, exclusion, or expiry controls described.
tagged as `[AUTO-HOOKED CHAT]` and silently appended to the `hippocampus_logs.json` ... Nightly Daemon will later process these logs to evolve the agent's 5D personality matrix
Only ingest logs from an explicitly selected folder, review chunks before appending them, mark harvested content as untrusted, and provide clear retention and deletion controls.
Once scheduled, it may keep collecting new chats and changing persistent memory over time without the user noticing each update.
The documentation encourages ongoing periodic background execution and silent memory mutation rather than manual, per-run user control.
passive, background utility script ... silently crawling your agent's chat logs ... Bind this skill to your agent's 30-minute heartbeat
Do not bind it to a heartbeat unless that behavior is explicitly desired; require visible status, opt-in scheduling, and an easy stop/disable mechanism.
Unexpected local files placed in the log directory could be copied into persistent agent memory.
The code scans every file with an extension in the target log directory, which is broader than the SKILL.md description of reading only .txt or .jsonl files.
log_files = glob.glob(os.path.join(TARGET_LOG_DIR, "*.*"))
Enforce a strict .txt/.jsonl allowlist, skip symlinks and non-log files, and confirm before ingesting unfamiliar files.
The agent may retain or react to a fabricated conversation that the user never actually had.
On first run, the hook creates a synthetic chat log if no log directory exists; because the same run then scans the log directory, that demo content can be injected into the persistent memory buffer when S2-OS data exists.
if not os.path.exists(TARGET_LOG_DIR): ... f.write("User: 帮我写个 Python 脚本\nAgent: 好的,正在执行。\nUser: 报错了!你这代码有 Bug,气死我了!\n")Remove automatic sample-log creation from normal operation, or put it behind an explicit test/demo mode and exclude generated samples from memory injection.