ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MemSync Dual Memory System

v1.2.6

Logs all OpenClaw conversations and events with role tags, saving to JSONL and Memvid for full context search and monthly sharded or single-file storage.

0· 670·0 current·0 all-time
byanthony stachowitz@stackblock
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the implementation: the package contains a logger (tools/log.py), an installer script, and docs describing JSONL + Memvid outputs. Requiring the memvid CLI (npm) and file write/exec permissions aligns with the described functionality. The optional MEMVID_API_KEY for cloud mode is documented as optional.
Instruction Scope
Runtime instructions and install.sh explicitly state the skill will capture 'everything' (user messages, assistant responses, sub-agents, tool outputs, system events) and will run on each assistant response via OpenClaw hooks. The Python code logs the JSON message it receives and calls memvid; it does not independently read arbitrary files or environment variables, but it will record tool outputs and any data provided to the logger. The SKILL.md suggests /etc/environment for persistence (a privileged path) but the installer only writes to the user's .bashrc when asked. This scope is wide but documented; review tools/log.py to confirm what you want logged.
Install Mechanism
There is no formal install spec in registry metadata, but the bundle includes install.sh and instructions to git clone the repository and run npm install -g memvid. Installing memvid via npm is a normal dependency but is a moderate-risk step (third-party package install). No downloads from untrusted shorteners or personal IPs are present; install.sh copies files locally and optionally edits .bashrc.
Credentials
The skill requests no required environment variables or credentials in the registry metadata; MEMVID_API_KEY is optional for cloud mode. The environment access it does use (JSONL_LOG_PATH, MEMVID_PATH, MEMVID_BIN, MEMVID_MODE) is proportional to a logging/memory skill. However, because the skill deliberately logs 'everything', any secrets present in conversations or tool outputs may be captured; that privacy risk is intrinsic to the feature and is repeatedly documented in the SKILL.md.
Persistence & Privilege
always:false and default autonomous invocation are appropriate for a logger that hooks into message_out. The installer optionally writes env vars to the user's .bashrc but does not automatically require system-wide changes. The skill does not attempt to modify other skills or system-wide configurations beyond what it documents.
Assessment
This skill is internally consistent with its stated purpose (a comprehensive conversation logger), but it intentionally captures a lot of sensitive data. Before installing: 1) Review tools/log.py and install.sh line-by-line so you understand exactly what is logged and where files are created. 2) Prefer local/sharding modes if you do not trust memvid.com; only set MEMVID_API_KEY if you accept remote storage. 3) Secure log files (chmod 600) and consider storing them on an encrypted filesystem. 4) Avoid adding unknown environment changes to system-wide files (/etc/environment) unless you know the consequences; the installer only offers to edit your user .bashrc. 5) Audit the memvid CLI package (npm) and the memvid service privacy policy if you plan to use API mode. 6) If you have high-security data or run tools that may output secrets, do not enable this skill or filter sensitive outputs before they reach the logger. If you want a safer test, run the logger in a sandboxed account with no credentials and verify behavior with the included tests.

Like a lobster shell, security has layers — review code before you run it.

agent-memoryvk977h9ntn0z1tn45bww8kfd3yd81mycjarchivevk977h9ntn0z1tn45bww8kfd3yd81mycjbackupvk977h9ntn0z1tn45bww8kfd3yd81mycjchat-historyvk977h9ntn0z1tn45bww8kfd3yd81mycjcontextvk977h9ntn0z1tn45bww8kfd3yd81mycjconversationvk977h9ntn0z1tn45bww8kfd3yd81mycjhistoryvk977h9ntn0z1tn45bww8kfd3yd81mycjjsonlvk977h9ntn0z1tn45bww8kfd3yd81mycjlatestvk977h9ntn0z1tn45bww8kfd3yd81mycjlong-term-memoryvk977h9ntn0z1tn45bww8kfd3yd81mycjmemvidvk977h9ntn0z1tn45bww8kfd3yd81mycjpersistencevk977h9ntn0z1tn45bww8kfd3yd81mycjragvk977h9ntn0z1tn45bww8kfd3yd81mycjrecallvk977h9ntn0z1tn45bww8kfd3yd81mycjretrievalvk977h9ntn0z1tn45bww8kfd3yd81mycjsemantic-searchvk977h9ntn0z1tn45bww8kfd3yd81mycjstoragevk977h9ntn0z1tn45bww8kfd3yd81mycjvector-searchvk977h9ntn0z1tn45bww8kfd3yd81mycj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments