Lightweight Knowledge Base
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a local knowledge-base and task-memory skill with no evidence of exfiltration or destructive behavior, but it does persist user/profile data and includes guidance for recurring automated updates.
Install only if you want a local persistent knowledge-base/profile system. Review or reset the prefilled user profile, keep API keys and secrets out of memory files, and disable the automated daily task entry if you do not want recurring updates.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Personal preferences, task history, and knowledge notes may persist and shape future replies.
The skill is explicitly designed to create and reuse persistent profile, task, and knowledge state that can affect future agent behavior.
- **用户画像** - 结构化记录用户偏好、特质权重 - **任务节奏** - 每日/每周任务自动化管理 - **知识索引** - JSON 索引管理 MD 文件 - **每日进化** - 凌晨自动优化知识库
Review and reset the profile/task files before use if they do not match you, and avoid storing private or sensitive information unless you intend the agent to reuse it.
If API keys or secrets are placed in indexed memory files, future agent actions or outputs could accidentally expose or reuse them.
The knowledge index references a memory file for tool configuration and API keys. The provided code does not read or transmit that file, but storing secrets in agent-accessible memory is sensitive.
"tools.md": {
"description": "工具配置与 API 密钥",
"tags": ["tools", "apis", "config"]Do not store raw API keys in the knowledge base; keep secrets in approved credential storage and reference them only indirectly.
If an agent or scheduler honors this task record, the knowledge base could be updated on a recurring basis without a prompt each time.
The artifacts declare an enabled recurring daily evolution task. The included scripts do not install a cron job, so this is documented scheduling intent rather than hidden persistence.
"automated": [
{
"id": 92,
"name": "凌晨优化任务",
"cron": "0 1 * * *",
"action": "daily_evolve",
"description": "每日凌晨1:00自动优化知识图谱",
"enabled": true
}
]Disable or edit the automated task entry if you do not want recurring memory updates, and require confirmation before scheduled actions.
If the template is copied and task_rhythm.json is tampered with, it could potentially execute unintended shell code.
A documented shell template sources generated shell content from JSON. This is not used by the included scripts and is not automatically executed, but it would be unsafe if copied with mutable or untrusted JSON data.
source <(jq -r '.weekly[] | "task_\(.id)=\(.)"' data/task_rhythm.json)
Avoid using source on generated data; parse JSON safely with jq and assign only validated values.
You have less external context for who maintains the skill or where to verify updates.
The registry metadata provides limited provenance. However, the reviewed files are included and there is no remote installer or hidden dependency in the artifacts.
Source: unknown Homepage: none
Review the included files before installing and prefer trusted sources for future updates.