ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Memory Management

v1.0.0

Manage and standardize trading decision records, extract lessons, and support history retrieval and comparison within the PAI trading system.

0· 290·0 current·0 all-time
by@wuzimaki
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description (manage trading-memory, extract lessons, support retrieval/comparison) match the instructions' goals. However, the SKILL.md refers to helper scripts (memory_evaluator.py, auto_memory_manager.py) and a concrete home-directory path (/Users/zst/clawd/...) that are not supplied. A legitimate skill would either include those scripts or use generic locations; the tight coupling to an author's local paths is inconsistent with a reusable skill.
!
Instruction Scope
The instructions tell the agent to read, archive, and modify files under memory/ and an absolute path (/Users/zst/clawd/...), and to run named Python scripts. Because the skill is instruction-only and provides no code, an agent following these instructions may attempt to access arbitrary local files or fail unpredictably. The instructions also schedule periodic actions (daily/weekly maintenance) and mark files for archiving — these are file-write operations that modify user data and should be explicit and supplied with safe defaults.
Install Mechanism
There is no install spec and no code files, so nothing will be downloaded or installed by the skill itself. That lowers install-time risk, but also means required scripts are missing.
Credentials
The skill declares no required environment variables, credentials, or config paths. That is proportionate to the stated purpose. However, the SKILL.md references absolute user file paths which implicitly require filesystem access; that access is not declared or justified in metadata.
Persistence & Privilege
always is false and the skill is user-invocable only. It does not request permanent presence or system-wide config changes in its metadata. The instructions do describe periodic maintenance, but there is no mechanism in the package to register persistent services — the metadata does not request elevated persistence privileges.
What to consider before installing
This skill's purpose (trading-memory management) is plausible, but the SKILL.md expects two Python scripts (memory_evaluator.py and auto_memory_manager.py) and references an absolute home path (/Users/zst/clawd/...). Before installing or enabling this skill: 1) ask the author to provide the missing scripts or a clear, portable install plan; 2) ensure the skill uses relative or configurable paths rather than hard-coded absolute paths to avoid accidental access to your home directory; 3) review exactly which files it will read/write and whether you trust it to archive/delete files; 4) run it in a sandbox or on a test dataset first; and 5) decline or mark as untrusted if the author cannot explain or remove the hard-coded paths and supply the referenced tooling. Additional information that would change the assessment: included script files, an install spec that clearly installs vetted code, or removal of absolute user paths in favor of configurable locations.

Like a lobster shell, security has layers — review code before you run it.

latestvk976nhaxkyy9zefxy2m1rxtjqd827kv9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments