ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

evrmem

v0.1.0

Local Chinese semantic memory search and storage using text2vec embeddings and ChromaDB, supporting RAG-based context augmentation for AI agents.

0· 38·0 current·0 all-time
byThatsD@zhzgao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (local Chinese semantic memory using text2vec + ChromaDB) matches the instructions: installing a Python package, initializing a local DB, configuring model and data directories, and performing searches/RAG.
!
Instruction Scope
Runtime instructions tell the agent to run pip install evrmem, run an evrmem init that downloads a ~400MB model, create ~/.evrmem config/data, and optionally set HF_ENDPOINT to a mirror. These steps are within the tool's purpose but permit arbitrary network downloads, writing to the user's home directory, and replacing system Python packages (e.g., forcing a numpy reinstall).
!
Install Mechanism
There is no formal install spec in the registry; SKILL.md instructs pip installing a third-party package and downloading a large model. Pip installs and model downloads are a moderate supply-chain risk. The suggested mirror domain (https://hf-mirror.com) is not a known official host and could be used to serve malicious or poisoned model binaries if used.
Credentials
The skill does not request secrets or credentials. SKILL.md documents environment variables for configuration (model name, device, data dir, HF_ENDPOINT, disable-network flag). These are reasonable for the function, but HF_ENDPOINT and EVREM_LOCAL_FILES_ONLY materially affect network behavior and trust boundaries.
Persistence & Privilege
always is false and autonomous invocation is allowed (normal). The skill will create and persist files under ~/.evrmem and download models to disk. This is expected for a local memory system but means the skill will store user data locally and consume significant disk/network resources.
What to consider before installing
This skill appears to do what it says (local Chinese vector memory), but before installing you should: 1) Inspect the 'evrmem' package source (or its PyPI project) before pip installing; 2) Install in an isolated virtualenv or container to avoid changing system packages (the instructions may force-reinstall numpy); 3) Prefer official HuggingFace endpoints; avoid using unknown HF mirrors unless you trust them—mirrors can serve malicious/poisoned models; 4) Be aware it will download ~400MB models and write data under ~/.evrmem (may contain sensitive text you store); 5) If you need higher assurance, ask the publisher for a homepage/source repo or request a signed release; without that the activity is coherent but carries supply-chain and environment-change risks.

Like a lobster shell, security has layers — review code before you run it.

latestvk972aph4bwhrecrxq7gtb6tr4183zhaa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments