Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Spark Memory
v0.3.7Intelligence layer that compounds. Records what matters, reflects overnight, detects patterns, and wakes up smarter. 6-phase dream cycle, proactive morning i...
⭐ 1· 167·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, required env vars (SPARK_API_KEY, SPARK_ORG_ID), and the scripts all point to a single external service (https://zellin.ai). The binaries requested (curl, python3) are necessary to make HTTP calls and construct JSON, and the declared config path (skills.entries.spark-memory) matches the install/writing behavior in scripts.
Instruction Scope
SKILL.md explicitly instructs the agent to run included scripts for signup, recording, recalling, and morning-insights; those scripts only call the Spark API and modify the OpenClaw skill config. This stays within the memory/integration scope, but the signup flow asks the user for an email and password and then POSTs those credentials to zellin.ai, stores API credentials into the local OpenClaw config, and attempts to restart the gateway — side effects that are functional for the feature but worth user consent and understanding.
Install Mechanism
No remote download/install or archive extraction is present; the skill is instruction- and script-based and relies on local shell scripts and existing tools (curl/python3). This is lower risk than fetching arbitrary code from an external URL.
Credentials
Only SPARK_API_KEY and SPARK_ORG_ID are required and declared (primaryEnv set to SPARK_API_KEY). These map directly to the external service used. No unrelated secrets or broad system credentials are requested.
Persistence & Privilege
always:false (not force-installed). The skill runs scripts that can write to your OpenClaw config (~/.openclaw/openclaw.json) and restart the gateway; that behavior is consistent with auto-configuration but elevates local side-effect risk (config modification + restart). The skill is allowed to be invoked autonomously by default (disable-model-invocation:false), which combined with network access means it could autonomously send recorded memories to the external service — appropriate for its purpose but something to be aware of.
Assessment
This skill appears to do what it says — it stores and retrieves 'memories' on zellin.ai and auto-configures your OpenClaw skill entry. Before installing or running the signup flow: 1) Prefer manual setup if you want full control: sign up at zellin.ai and set SPARK_API_KEY / SPARK_ORG_ID yourself rather than entering an account password into the script. 2) If you use the interactive signup, use a dedicated email/password (do not reuse high-value passwords). 3) Review zellin.ai's privacy policy and your organization's data policy — anything you record will be sent to their API. 4) Expect the script to modify ~/.openclaw/openclaw.json and attempt to restart the gateway; if you want to avoid automatic restarts, skip auto-config and add credentials manually. 5) If you are worried about autonomous writes of memories, consider disabling or limiting the skill's automatic invocation or review the skill's usage policy and retention/deletion procedures with zellin.ai. If you want higher assurance, verify the upstream repository (github link in package.json) and audit the remote service's security/privacy practices before enabling.Like a lobster shell, security has layers — review code before you run it.
latestvk973p8z0dmxt66rh184y94nykx83r3v6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧠 Clawdis
Any bincurl, python3
EnvSPARK_API_KEY, SPARK_ORG_ID
Configskills.entries.spark-memory
Primary envSPARK_API_KEY