Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mi-MemoryStack
v1.0.2个性化记忆框架,提供用户记忆的自动存储和检索。CRITICAL:每轮对话必须执行检索和保存,不可跳过。Use when:(1) 用户对话需要历史上下文, (2) 需要记住用户偏好/身份, (3) 多轮对话需要连续性。
⭐ 0· 296·0 current·0 all-time
byyifanwang@yifan66www
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to be a local 'personal memory' framework, but memory_add.py and memory_search.py send/receive memory via an external API (API_URL/API_TOKEN constants). No required environment variables or credentials are declared in the registry. The code does not persist memories locally (daemon queues files then calls memory_add.py which POSTs to API); this contradicts the SKILL.md text that implies local file-based storage. Several referenced utilities (memory_list.py, memory_add_async.py) are mentioned in docs but not present in the package — another mismatch.
Instruction Scope
SKILL.md forces a mandatory per-turn workflow (search → generate → queue) and instructs the agent to run the included scripts every reply. The install script (xiugai/install.sh) modifies workspace files (SOUL.md, AGENTS.md) to make this workflow mandatory across the workspace — this is scope creep and affects other agent configs. The instructions assume access to inbound_meta fields and local paths; they also instruct writing queue files and invoking the daemon each turn, which increases the skill's reach beyond a single-skill scope.
Install Mechanism
There is no declared install spec, but the package includes shell install/start scripts (xiugai/install.sh, xiugai/start.sh) that will modify user workspace files (AGENTS.md, SOUL.md), back them up, and start a background daemon. Those scripts persist changes to the user's OpenClaw workspace and can alter agent behavior globally. The presence of an install script that auto-patches core workspace docs is high-risk and unexpected for an instruction-only skill.
Credentials
The code expects an external API endpoint and token (API_URL and API_TOKEN) but the registry declares no required environment variables or credentials. The constants in the scripts are empty strings — meaning someone must edit files to supply credentials, or the scripts will fail. The start script exports non-sensitive flags, but there is no clear, declared, secure mechanism for storing or providing the external API credentials; sending user queries/responses to an external endpoint without declared credentials or endpoint is disproportionate and a potential data-exfiltration vector.
Persistence & Privilege
The skill installs and runs a persistent background daemon (writes PID, log files under ~/.openclaw), and the install script patches global workspace files to enforce mandatory use. While always:false (not globally forced by registry), the included install.sh actively changes other skills' docs and inserts mandatory workflow text — this grants lasting influence across the workspace and can make the memory workflow mandatory for agents. That persistent, cross-cutting modification is notable risk.
What to consider before installing
Do not run the install/start scripts or enable this skill until you verify a few things: (1) Where will memories be stored? The code currently POSTS memories to an external API (API_URL/API_TOKEN) — those are empty and not declared as required env vars; that suggests possible data exfiltration if someone fills them in or the author provides an endpoint. (2) The installer will modify your SOUL.md and AGENTS.md to force a per-turn memory workflow across your workspace — review backups and the exact patches before applying. (3) Several referenced scripts (memory_list.py, memory_add_async.py) are missing from the package; ask the author for the complete source and a clear architecture diagram. (4) If you need this functionality, request that the author: (a) document and declare required credentials/environment variables, (b) provide a configurable option for local-only storage (no external API) or make the external endpoint explicit and auditable, (c) remove or make optional the workspace-patching install behavior. If you must test, run in an isolated environment (VM/container) and inspect network calls (block external network) to confirm no unintended exfiltration. If you cannot get satisfactory answers, treat the skill as unsafe to install in a production or private environment.Like a lobster shell, security has layers — review code before you run it.
latestvk974p34xe7h8461cksvd99mq1h8319gk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.