Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Memory Integration
v0.1.0同步 OpenClaw 记忆文件到共现图和语义向量库,支持增量更新及语义加共现的统一搜索接口。
⭐ 0· 137·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes memory synchronization to a co-occurrence engine and a semantic vector store; the included Python implements parsing memory files, computing IDs, updating co-occurrence, and optional vector-store usage — broadly aligned with the stated purpose. However, naming mismatches (SKILL.md refers to MemoryIntegrationAdapter while the code provides MemoryIntegration) and inconsistent default paths (SKILL.md: ~/workspace/... vs code default /root/.openclaw/workspace) reduce confidence that the package is well-formed.
Instruction Scope
SKILL.md and example usage instruct importing MemoryIntegrationAdapter from integration.adapter.memory_integration_adapter, but the repository only contains scripts/memory_integration.py with a MemoryIntegration class. The runtime code appends a hard-coded absolute sys.path (/root/.openclaw/workspace/skills/memory-sync-enhanced/scripts) that references a different name ('memory-sync-enhanced'), and expects external adapter modules (integration.adapter.co_occurrence_adapter, integration.adapter.semantic_vector_adapter) that are not included. These inconsistencies mean an agent following SKILL.md may fail or load adapters from unexpected locations; the instructions also allow reading and writing workspace memory files and a sync config file (within the workspace) which is consistent with purpose but should be confirmed.
Install Mechanism
No install spec is provided (instruction-only with included script). That minimizes install-time risk but means runtime behavior depends on environment layout and presence of adapter plugins. Nothing in the package attempts to download or execute remote installers.
Credentials
SKILL.md declares environment variables (MEMORY_SYNC_CONFIG, SYNC_INTERVAL_HOURS, ENABLE_SEMANTIC_SYNC, ENABLE_COOCCURRENCE_SYNC) but the code only reads OPENCLAW_WORKSPACE (default /root/.openclaw/workspace) and does not reference MEMORY_SYNC_CONFIG or the other declared vars. This mismatch is suspicious: either the documentation is stale or the code relies on implicit workspace paths. The code writes/reads a sync config under workspace/integration/memory_sync_config.json — this is reasonable for a memory-sync tool but you should verify the effective path and that no unrelated files are accessed. No credentials are requested.
Persistence & Privilege
The skill is not always:true and is user-invocable (normal). It writes a sync state file inside the workspace and manipulates files under workspace/memory and MEMORY.md; it does not request system-wide privileges or modify other skills' configs in the supplied code. Autonomous invocation is allowed by default (not a separate concern) but combine with other red flags before enabling fully autonomous usage.
What to consider before installing
This package likely implements the claimed memory-sync feature, but several inconsistencies make it untrustworthy until verified. Before installing or enabling: 1) Request the full source or repository (homepage/source unknown). 2) Confirm presence and contents of the required adapter modules (integration.adapter.co_occurrence_adapter and integration.adapter.semantic_vector_adapter) and inspect them for network I/O or credential usage. 3) Verify which environment variable controls the workspace/config path in your runtime (the code uses OPENCLAW_WORKSPACE; SKILL.md documents different vars/defaults) and ensure the config path is confined to a safe workspace. 4) Test in an isolated environment (non-production agent) to observe file reads/writes and any outbound connections. 5) Ask the author to fix naming/path mismatches (MemoryIntegrationAdapter vs MemoryIntegration, memory-integration vs memory-sync-enhanced) or provide a reconciled release; if the author cannot explain these inconsistencies, treat the skill as suspicious and avoid enabling autonomous invocation. If you can obtain and review the missing adapter modules and they look benign (no unexpected network endpoints or secrets exfiltration), the concerns would be largely resolved and this could be reclassified as benign.Like a lobster shell, security has layers — review code before you run it.
latestvk974f8zry05awet09q5hy2e0as835hff
License
MIT-0
Free to use, modify, and redistribute. No attribution required.