Openclawdy

This skill appears to be a third‑party memory service (openclawdy.xyz) and is internally consistent with that purpose, but proceed cautiously: - Verify operator/trust: confirm who runs openclawdy.xyz and review their privacy/legal terms before sending any sensitive data. - Signing vs keys: the service requires signed headers. Confirm how your agent will produce signatures — ensure private keys remain local and the agent only sends signatures (not private keys). The registry should document the signer integration; ask the author if it does not. - Data exfiltration: the API supports full vault export and storage of arbitrary content. Do not grant this skill to agents that can access secrets, PII, or other sensitive files unless you accept that those may be stored off‑site. - Supply‑chain risk: the install instructions point to a remote SKILL.md URL; prefer installing from the registry snapshot or a vetted source rather than fetching a live remote file you don't control. - Least privilege: only enable/use this skill for agents that need long‑term memory and explicitly consent to third‑party storage. If possible, run a self‑hosted or audited alternative. If you want a higher assurance decision, ask the skill owner for: (1) documentation of the signing integration (how signatures are made/verified and whether any SDK/plugin is required), (2) operator identity and data processing agreement, and (3) a static, versioned SKILL.md hosted in the registry rather than only on an external URL.