by 安全扫描
OpenClaw
可疑
high confidence该技能如描述执行(扫描本地工作空间 Markdown 文件并提供 D3 可视化),但其推荐工作流(自动启动 Cloudflare 隧道并指示代理将公用 URL 发回聊天)创建了一个直接且可能未意图的敏感本地记忆文件数据泄露路径。
评估建议
该技能将读取 OpenClaw 工作空间中的 Markdown 文件(MEMORY.md, memory/*.md, .issues/*, SOUL.md)并可以启动 Cloudflare 隧道,发布服务这些解析文件的公用 URL。运行或允许代理自动运行 'launch' 工作流之前:1) 检查工作空间文件以确保没有秘密或私人数据;2) Prefer 在本地运行 node scripts/serve.js 并打开 http://localhost:3459 而不是使用隧道;3) 如果必须使用隧道,请手动运行它并不要指示代理自动将 URL 发回聊天;4) 考虑将一份清理后的记忆文件子集复制到临时测试工作空间以预览行为;5) 如果您不信任自动共享,请不要授予代理权限以自主调用此技能。...详细分析 ▾
✓ 用途与能力
Name, description, and code align: the skill parses MEMORY.md, memory/*.md, .issues/* and serves a D3 force-directed visualization. The parser heuristics, layers, and UI behavior are consistent with the stated purpose.
⚠ 指令范围
SKILL.md and launch.js explicitly instruct the agent to start a Cloudflare tunnel and to return the tunnel URL to the chat. That workflow exposes all parsed local memory files to the public URL created by cloudflared. The instructions also default to scanning the OpenClaw workspace (and allow RMN_WORKSPACE override), which means potentially sensitive agent 'memory' and 'SOUL.md' are read and served. The behavior is consistent with the feature, but it is high-risk for sensitive data and the instructions give the agent authority to publish the URL to the conversation.
ℹ 安装机制
There is no install spec (instruction-only plus two JS scripts), so nothing is written by an installer. The only external runtime dependency is cloudflared (the code checks for it and requires it for the tunneling path). Using cloudflared is reasonable for exposing a local server, but relying on a locally installed tunnel binary gives the skill the ability to expose files publicly if run.
ℹ 凭证需求
The skill declares no required env vars, but the code honors RMN_WORKSPACE, RMN_PORT, and OPENCLAW_WORKSPACE to locate files. Those overrides are reasonable for a file-scanning visualizer, but they also let the skill be pointed at arbitrary directories. No API keys or unrelated credentials are requested.
✓ 持久化与权限
always is false, the skill does not modify other skills or system configuration, and it does not persist credentials. It spawns processes (node + cloudflared) but does not attempt to install background services or enable itself permanently.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.22026/2/23
修复:安装命令使用 `clawhub install rmn-visualizer`(无用户名前缀)
● 可疑
安装命令 点击复制
官方npx clawhub@latest install rmn-visualizer
镜像加速npx clawhub@latest install rmn-visualizer --registry https://cn.clawhub-mirror.com
技能文档
Overview
RMN Visualizer 扫描你的 Agent 记忆文件(MEMORY.md, memory/.md, .issues/), 自动解析为 5 层递归神经网络,并用 D3.js 力导向图实时可视化。 零外部依赖,纯 Node.js 内置 HTTP server + 内嵌 D3.js。When to Activate
- 用户说 "可视化记忆" / "visualize memory" / "show memory network" / "记忆网络"
- 用户说 "看看我的大脑" / "memory map" / "brain map"
Quick Launch (推荐)
一键启动本地服务 + Cloudflare Tunnel,返回公网链接到聊天窗口:node /scripts/launch.js
https://xxx.trycloudflare.com),
agent 应该把这个链接直接发给用户,附上简要说明。
需要 cloudflared 已安装。如果没有,fallback 到本地模式。Local Only
node /scripts/serve.js
What You See
- 5 层彩色节点:Identity (红) → Semantic (橙) → Episodic (黄) → Working (绿) → Sensory (蓝)
- 节点大小 = 权重(越重要越大)
- 连线 = 记忆关联
- 悬停显示详情
- 实时统计面板:节点数、连接数、各层分布、平均权重
- 衰减动画:权重低的节点逐渐透明
Configuration
default 扫描 OpenClaw workspace 下的文件。可通过环境变量覆盖:RMN_WORKSPACE=/path/to/workspace node scripts/launch.js
RMN_PORT=3459 node scripts/serve.js
Architecture
Memory Files (MEMORY.md, memory/.md, .issues/) ↓ [Parser — 正则 + 启发式分层] 5-Layer Neural Network (JSON) ↓ [D3.js Force Simulation] Interactive Visualization (Browser)
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制