Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Moore Pyramid Memory System
v1.1.0Moore 金字塔记忆系统 — 5层记忆架构,确保跨 session 连续性。每次启动时自动加载,新 session 开始时必须执行此 skill。
⭐ 0· 66·0 current·0 all-time
by@tosspi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (a 5‑layer persistent memory system) aligns with instructions to load and update MEMORY.md, .todos.md and per‑day/month files. However the SKILL.md lists scripts (startup-read.js, weekly-archive.js, monthly-archive.js) and cron schedules even though no code files or install steps are included — claiming automatic execution without providing the scripts or an install mechanism is an incoherence.
Instruction Scope
Instructions require reading and writing persistent files under ~/.openclaw/workspace/ (MEMORY.md, memory/*.md, .todos.md) and mandate writing conversation summaries after every conversation. That is functionally within a 'memory' skill, but it directs persistent logging of conversation content (potentially sensitive) and instructs automatic script execution at startup. The skill does not document access controls, retention, or how the startup automation is implemented, giving broad discretion to the agent and raising privacy and scope‑creep concerns.
Install Mechanism
No install spec and no code files are provided. This lowers code supply risk, but is inconsistent with the SKILL.md which references scripts and cron jobs—either the skill expects the runtime to already contain these scripts or the SKILL.md is incomplete. That mismatch should be resolved before trusting automatic behaviors.
Credentials
The skill requests no environment variables, credentials, or external services, which is proportionate for a local memory system. One note: the SKILL.md references an absolute user path (~/.openclaw/workspace/scripts/) but does not declare or justify access to system config paths or other skills' data.
Persistence & Privilege
The description asserts the skill 'must be executed' on new sessions and that a startup script 'executes automatically', but the skill is not marked always:true and provides no mechanism to install or register itself to run at startup. This is an unresolved claim: if the skill attempts to create persistent startup hooks or cron jobs, that would be a privileged action that should be explicitly disclosed and consented to.
Scan Findings in Context
[no_code_files_found] unexpected: SKILL.md references multiple JavaScript scripts (startup-read.js, weekly-archive.js, monthly-archive.js) and cron schedules but the skill package contains no code files or install spec; this is unexpected and suggests the documentation is incomplete or the skill relies on external artifacts not provided.
What to consider before installing
This skill is plausible for keeping cross‑session notes, but it currently has gaps and privacy implications. Before installing or enabling it: (1) ask the publisher for the actual scripts and an explicit install/registration plan (how startup execution and cron jobs are created); (2) verify where files will be stored and who can read them (these files will contain conversation summaries and todos); (3) prefer a manual review step before any agent creates persistent startup hooks or cron jobs; (4) if you proceed, run it in a restricted workspace or sandbox, and review the content of any created scripts for unexpected network access or credential use. If the author cannot provide the missing scripts/install instructions, treat the SKILL.md as incomplete and avoid enabling automatic behaviors.Like a lobster shell, security has layers — review code before you run it.
latestvk970tyhy7g09f5wf98ayhq6fyd83y6k5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.