Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Memory Hybrid Stack
v0.1.0Use this skill to read/write the hybrid memory stack (Postgres facts, Redis realtime state, Qdrant vector recall) that lives under `infra/memory-stack`. Prov...
⭐ 0· 107·0 current·0 all-time
by@vegabai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (hybrid memory stack for Postgres/Redis/Qdrant) aligns with the included helper scripts and reference docs. However the package metadata declares no required environment variables while the scripts expect and source an .env that contains DB/Redis/Qdrant credentials. There are also small mismatches in documented vs. coded default ports (docs mention Qdrant HTTP=6335, script defaults to 6333).
Instruction Scope
The runtime instructions and scripts source a workspace .env file (default path baked in via references/connection-map.md) and export DB credentials for use by psql/redis-cli/curl. qdrant_request.sh allows overriding QDRANT_URL, which could make HTTP requests to a remote host (not limited to localhost). The scripts accept file inputs (e.g., @/tmp/points.json) and will POST/PUT those payloads; nothing prevents pointing QDRANT_URL at an external endpoint, enabling potential credential or data exfiltration. The SKILL.md and connection-map also mention an absolute workspace path (/home/va/...), which could cause the agent to read user-specific files.
Install Mechanism
No install spec — instruction-only with small helper scripts. This has lower risk than remote installers since nothing is downloaded during installation; the primary risk is what the scripts do at runtime.
Credentials
Registry metadata claims no required env vars, yet scripts rely on POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB, REDIS_PASSWORD (optional), QDRANT_URL/PORT/HOST and an .env file under infra/memory-stack. That omission is a meaningful mismatch: the skill will read sensitive credentials from a workspace .env but the package does not declare or surface that requirement to the user.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent platform-level presence. Autonomous invocation is allowed (platform default) but not itself a new risk here. The skill does not attempt to modify other skills or agent-wide configuration.
What to consider before installing
This skill contains small shell helpers that source a workspace .env and then run psql, redis-cli, and curl. Before installing or enabling it:
- Verify the .env file it will source (default infra/memory-stack/.env or the absolute path mentioned in connection-map) and ensure it does not contain secrets you don't want referenced by a skill. The scripts will export PGPASSWORD and may use REDIS_PASSWORD and QDRANT_URL.
- Ask the author/maintainer to update registry metadata to list required env vars (POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB, REDIS_PORT/POSTGRES_PORT/QDRANT settings) so the credential needs are explicit.
- If you run these scripts, keep QDRANT_URL unset or set it explicitly to a localhost URL; otherwise the scripts can make HTTP requests to arbitrary URLs and could send data off-host.
- Confirm the path assumptions (connection-map mentions /home/va/.openclaw/workspace/infra/memory-stack/.env) — change MEMORY_STACK_ENV or MEMORY_STACK_ROOT to a safe path before running to avoid accidental reads of user files.
- Prefer running the scripts in a sandboxed environment and inspect .env contents first. If you cannot validate the .env or the QDRANT_URL, treat this skill as risky and do not enable it for autonomous agent use.Like a lobster shell, security has layers — review code before you run it.
latestvk97dmqe0g4pyxg5sps23dqtzqn835899
License
MIT-0
Free to use, modify, and redistribute. No attribution required.