by 安全扫描
OpenClaw
可疑
medium confidenceThe instructions mostly match a memory-maintenance purpose, but they include potentially dangerous, persistent, or inconsistent guidance (destructive rm -rf wipes, scheduling a recurring wipe, and encouragement to store 'accounts/credentials locations') that should be reviewed before use.
评估建议
Before using/installing: 1) Treat the rm -rf instruction as destructive — back up your LanceDB and test the wipe/reseed on a non-production instance first. 2) Do NOT store secrets (API keys, tokens, passwords) in vector memory; the SKILL.md contradicts itself by suggesting to store 'credentials locations' — avoid storing any sensitive credentials or locations that could enable later exfiltration. 3) Review and limit the cron job: prefer manual or carefully permissioned automation; confirm the cr...详细分析 ▾
ℹ 用途与能力
Name and description match the instructions: commands reference Clawdbot-specific tools/paths (memory_store, memory_recall, ~/.clawdbot/memory/lancedb/, gateway actions). This is coherent for a memory maintenance skill. However the guidance to store 'accounts, credentials locations, contacts' is questionable and conflicts with the 'Never store: OAuth URLs or tokens' note — storing credential locations is not clearly necessary for a hygiene tool and increases risk.
⚠ 指令范围
SKILL.md instructs destructive actions (rm -rf ~/.clawdbot/memory/lancedb/) and restarting the gateway, reading/parsing local files (MEMORY.md), and adding a monthly cron job that will perform the wipe+reseed automatically. These are in-scope for maintenance but are high-impact operations (data loss risk) and the cron makes the behavior persistent. The file also advises storing potentially sensitive items (accounts/credential locations), which expands scope to sensitive data collection/storage.
✓ 安装机制
Instruction-only skill with no install spec and no code files — lowest installer risk. Nothing is downloaded or written by an installer step in the package itself.
⚠ 凭证需求
The skill declares no required credentials or env vars (good), but its content explicitly encourages storing 'accounts, credentials locations' in vector memory. Asking users to persist credential-related information in memory is disproportionate to a maintenance task and increases attack surface / leakage risk; the guidance is internally inconsistent with the 'Never store OAuth URLs or tokens' line.
⚠ 持久化与权限
While the skill itself is not always:true, the instructions recommend creating a recurring cron job that will automatically wipe and reseed memory monthly. That establishes persistent, scheduled destructive behavior on the host — a meaningful privilege/risk that should be intentionally authorized and tested before deployment.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/1/29
Version 1.0.0 – Initial Release - Introduces memory-hygiene for auditing, cleaning, and optimizing Clawdbot's vector memory (LanceDB). - Provides quick commands for memory audit, wipe, and reseed. - Details configuration for disabling auto-capture to prevent junk memories. - Lists guidelines on what types of information to store or avoid storing in memory. - Includes instructions for setting up monthly automated maintenance.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install memory-hygiene
镜像加速npx clawhub@latest install memory-hygiene --registry https://www.longxiaskill.com
技能文档
Keep vector memory lean. Prevent token waste from junk memories.
Quick Commands
Audit: Check what's in memory
memory_recall query="" limit=50
Wipe: Clear all vector memory
rm -rf ~/.clawdbot/memory/lancedb/
clawdbot gateway restartReseed: After wipe, store key facts from MEMORY.md
memory_store text="" category="preference|fact|decision" importance=0.9
Config: Disable Auto-Capture
The main source of junk is autoCapture: true. Disable it:
{
"plugins": {
"entries": {
"memory-lancedb": {
"config": {
"autoCapture": false,
"autoRecall": true
}
}
}
}
}
Use gateway action=config.patch to apply.
What to Store (Intentionally)
✅ Store:
- User preferences (tools, workflows, communication style)
- Key decisions (project choices, architecture)
- Important facts (accounts, credentials locations, contacts)
- Lessons learned
❌ Never store:
- Heartbeat status ("HEARTBEAT_OK", "No new messages")
- Transient info (current time, temp states)
- Raw message logs (already in files)
- OAuth URLs or tokens
Monthly Maintenance Cron
Set up a monthly wipe + reseed:
cron action=add job={
"name": "memory-maintenance",
"schedule": "0 4 1 *",
"text": "Monthly memory maintenance: 1) Wipe ~/.clawdbot/memory/lancedb/ 2) Parse MEMORY.md 3) Store key facts to fresh LanceDB 4) Report completion"
}
Storage Guidelines
When using memory_store:
- Keep text concise (<100 words)
- Use appropriate category
- Set importance 0.7-1.0 for valuable info
- One concept per memory entry
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制