ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Xiaoshan Memory Publish

v3.3.0

XiaoShan Memory Engine - Persistent AI memory with semantic search and knowledge graph. Triggers: remember/search memory/recall/forget/knowledge graph/memory...

0· 72·0 current·0 all-time
by@waychan8

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for waychan8/xiaoshan-memory.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Xiaoshan Memory Publish" (waychan8/xiaoshan-memory) from ClawHub.
Skill page: https://clawhub.ai/waychan8/xiaoshan-memory
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install xiaoshan-memory

ClawHub CLI

Package manager switcher

npx clawhub@latest install xiaoshan-memory
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The package claims to be a full 'memory engine', but the included files do not contain the core engine (api_server.py). scripts/start_server.py explicitly looks for an external 'xiaoshan-memory-engine' directory or workspace and prints an error if not found, implying an additional download/install step. package.json and _meta.json reference an IP address (http://152.136.24.34) as homepage/update URL — an unusual non-domain host for an upstream source. These elements are disproportionate to a simple skill bundle and suggest external downloads are expected.
Instruction Scope
SKILL.md tells users to set provider API keys (OPENAI_API_KEY, etc.) and to run npx clawhub@latest install xiaoshan-memory, but the skill metadata did not declare required env vars. The runtime scripts create/read ~/.xiaoshan and save a plaintext activation key to ~/.xiaoshan/activation.json. The instructions do not explicitly document fetching the engine from the IP in _meta.json, but start_server implies the engine must be installed elsewhere. The skill's runtime actions (writing activation file, creating ~/.xiaoshan) are consistent with a memory engine, but the missing engine and external download are concerning.
!
Install Mechanism
There is no formal install spec in the registry entry, but _meta.json contains an updateUrl pointing at an IP (http://152.136.24.34/xiaoshan-memory-protected.zip). Downloads from numeric IP addresses and non-official hosts are higher risk because they may deliver arbitrary code. The package homepage in package.json is the same IP. The bundle itself lacks the engine binary, implying an additional network fetch is required (and that fetch's host is an IP address rather than a reputable release host).
!
Credentials
The registry metadata declares no required env vars or primary credential, yet SKILL.md and SKILL-zh instruct users to configure provider API keys (OPENAI_API_KEY, ZHIPU_API_KEY, DEEPSEEK_API_KEY) in ~/.xiaoshan/config.yaml or environment. Scripts write/read ~/.xiaoshan/activation.json (plaintext license key). The skill requests sensitive credentials (API keys) in practice but didn't list them in requires.env — this mismatch is a red flag.
Persistence & Privilege
always is false and the skill does not request global/always-on privileges. It will create a directory under the user's home (~/.xiaoshan) and store a plaintext activation key and possibly a local DB (memory.db). That behavior is consistent with a local memory store but users should note data is stored unencrypted in the home directory unless otherwise configured.
Scan Findings in Context
[external-ip-homepage] unexpected: package.json.homepage is a numeric IP (http://152.136.24.34). Reputable projects usually reference domain names or official release hosts. This is unexpected and increases risk because it ties the skill to a non-obvious host.
[external-update-url-ip] unexpected: _meta.json.updateUrl points to http://152.136.24.34/xiaoshan-memory-protected.zip — an archive served from an IP address. A protected zip from an IP is high-risk for arbitrary code download and execution, and the bundle itself lacks the engine that this URL presumably supplies.
What to consider before installing
Do not install blindly. Specific things to check before proceeding: - Verify origin: the package references a numeric IP (152.136.24.34) for homepage/update. Prefer skills hosted on reputable domains or known release hosts (GitHub releases, official domains). - Confirm where the engine comes from: this bundle does not include the core api_server.py; start_server expects an external 'xiaoshan-memory-engine'. Ask the publisher how that engine will be installed and inspect any downloaded archive before running it. - Sensitive keys: the SKILL.md asks you to set provider API keys (OPENAI_API_KEY, ZHIPU_API_KEY, DEEPSEEK_API_KEY) but the skill metadata did not declare these. Only provide keys if you trust the code and after reviewing what the engine sends over the network. - Local files: the skill will create ~/.xiaoshan and store activation.json (plaintext license key) and may create memory.db. If you install, inspect these files and consider file permissions or encrypting sensitive data. - If you want to test safely: run inside a throwaway VM/container without network access, or review the downloaded zip contents before executing. Contact the skill author for a canonical release URL and source code repository; absence of a reputable homepage is a reasonable cause to decline installation. If you want, I can list the exact lines/files that reference the IP and where activation/license is stored so you can inspect them locally.
!
_meta.json:6
Install source points to URL shortener or raw IP.
!
package.json:8
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a13fpz68gh8s7gzgbgwfrnh84yeqf
72downloads
0stars
6versions
Updated 1w ago
v3.3.0
MIT-0
@waychan8
latest
Download

XiaoShan Memory Engine ⛰️

Persistent memory for your AI — semantic vector search, knowledge graph, and analytics.

Install

npx clawhub@latest install xiaoshan-memory --force

Note: VirusTotal flags all memory-engine skills as "suspicious" due to keywords like "search" and "forget" in the description. This is a known false positive. The skill is safe — feel free to review the code before installing.

After installation, configure your AI provider:

# Option A: Set environment variable
export OPENAI_API_KEY=sk-your-key

# Option B: Edit config file
# ~/.xiaoshan/config.yaml

Core API

Server runs at 127.0.0.1:18790 by default.

EndpointMethodDescription
/savePOSTSave a new memory
/searchPOSTSearch memories semantically
/askPOSTAsk question over memories
/statsGETGet memory statistics
/listGETList recent memories
/kg/statsGETKnowledge graph stats
/forgetPOSTDelete a memory

Provider Support

OpenAI · Zhipu AI · DeepSeek · Ollama (local, no key needed)

Decision Guide

User saysAction
"Remember this / 记住"POST /save
"What did I say about X"POST /search
"How many memories"GET /stats
"Delete that memory / 删除记忆"POST /forget
"Knowledge graph / 知识图谱"GET /kg/stats

Comments

Loading comments...